FINAL

Internal Audit
Report

Data Centre
Operations and
Security
Document Details:
Reference: Report nos from monitoring spreadsheet/2013.14
Senior Manager, Internal Audit & Assurance: ext. 6567
Engagement Manager:
Auditor:

Date: 17 September 2014

This report is not for reproduction publication or disclosure by any means to unauthorised persons.

Page 1
 Internal Audit Report – Data Centre Operations and Security

1. EXECUTIVE SUMMARY
1.1 INTRODUCTION

As part of the 2014/15 Internal Audit Plan an audit of the ‘Data centre operations and
security’ was carried out.

The objective of this review is to evaluate the security of the data centre, in particular
the following areas:
 data centre policies and procedures are defined, documented, and
communicated for all key functions;
 Council systems are secured to prevent unauthorised access (including 3rd
party access);
 access to the data centre is monitored and reviewed, and access rights are
periodically reviewed;
 data is backed up from servers held at the civic data centre;
 data transferred off site is secured at all times and appropriate controls are in
place to monitor the location of the data;
 environmental controls are present to protect the servers from fire, electrical and
water damage;
 capacity for the data centre is adequate for the server rooms equipment and
storage needs;
 environmental equipment is routinely maintained in line with manufacturer
recommended schedules; and
 backup electricity supplies are in place to ensure systems and services are not
affected in the event of a power outage.

1.2 OVERALL OPINION

The overall opinion of this review is ‘significant assurance’.

There are some areas that are appropriately managed and in line with acceptable good
practice, including:
 A computer room policy has been developed and is reviewed on an annual
basis;
 Backup schedules are in place and failed backups are monitored and actioned
by ICT staff;
 An offsite location is used for storage of backup tapes; and
 Storage capacity for the data centre is considered adequate based on the plans
of ICT.

However, we also identified a number of areas that require improvement, and have
thus led to the ‘limited assurance’ rating:

 Failure to test restores of critical applications regularly;

 Lack of documented back up policy and procedures;
 Excessive computer room access;
 A lack of regular review of the computer room access;

Page 2
 Internal Audit Report – Data Centre Operations and Security

 Lack of formalised computer room training as required by the computer room

policy;
 Lack of a visitors register in the computer room, as required by the computer
room policy;
 Lack of a fire suppression system; and
 The backup process is inefficient due to the increase of data over the last five
years.

Recommendations 7 and 8 are included for completeness. Management have agreed a

response to these recommendations in the Disaster Recovery audit report. These
recommendations have not influence the overall opinion.

Overall Audit Opinion

Full assurance Full assurance that the system of internal control meets
the organisation’s objectives and controls are
consistently applied.

 Significant Significant assurance that there is a generally sound

assurance system of control designed to meet the organisation’s
objectives. However, some weaknesses in the design or
inconsistent application of controls put the achievement
of some objectives at some risk.

Limited Limited assurance as weaknesses in the design or

assurance inconsistent application of controls put the achievement
of the organisation’s objectives at risk in some of the
areas reviewed.

No assurance No assurance can be given on the system of internal

control as weaknesses in the design and/or operation of
key control could result or have resulted in failure(s) to
achieve the organisation’s objectives in the area(s)
reviewed.

Page 3
 Internal Audit Report – Data Centre Operations and Security

2. SUMMARY OF CONCLUSIONS
2.1 The conclusion for each control objective evaluated as part of this audit was as follows:

Control Objective Assurance

Full Significant Limited None

CO1: data centre policies and procedures are  

defined, documented, and communicated for all key
functions;
CO2: Council systems are secured to prevent 
unauthorised access (including 3rd party access);
CO3: access to the data centre is monitored and 
reviewed, and access rights are periodically
reviewed;
CO4: data is backed up from servers held at the 
data centre;
CO5: data transferred off site is secured at all times 
and appropriate controls are in place to monitor the
location of the data;
CO6: environmental controls are present to protect 
the servers from fire, electrical and water damage;
CO7: capacity for the data centre is adequate for 
the server rooms equipment and storage needs
CO8: environmental equipment is routinely 
maintained in line with manufacturer recommended
schedules
CO9: backup electricity supplies are in place to 
ensure systems and services are not affected in the
event of a power outage

2.2 The recommendations arising from the review are ranked according to their level of
priority as detailed at the end of the report within the detailed audit findings.
Recommendations are also colour coded according to their level of priority with the
highest priorities highlighted in red, medium priorities in amber and lower priorities in
green. In addition, the detailed audit findings include columns for the management
response, the responsible officer and the time scale for implementation of all agreed
recommendations.

2.3 Where high recommendations are made within this report it would be expected that
they should be implemented within three months from the date of the report to ensure
that the major areas of risk have either been resolved or that mitigating controls have
been put in place and that medium and low recommendations will be implemented
within six and nine months respectively.

Page 4
 Internal Audit Report – Data Centre Operations and Security

3. LIMITATIONS REGARDING THE SCOPE OF THE AUDIT

The scope of our work will be limited to those areas outlined above.

4. ACKNOWLEDGEMENTS
Audit would like to thank all involved for their assistance during this review.

Page 5

5. DETAILED AUDIT FINDINGS
Ref. Priority Findings
CO1: Policies and Procedures
1 Low Lack of Backup Policy and
Procedures
On inspection of the Computer
room policy, it was noted that
the document does not contain
any details on the backup
policy and procedure.
We accept that the off-site
backup storage arrangements
are detailed in the IT Disaster
Recovery document.
CO2: Access to the data centre
2 High Excessive access to
Computer Room
On inspection of the access list
dated 14 August 2014, we
noted that there are a total of
65 access cards that provide
staff access to the County Hall
computer room.
Examples of these include the
following:
 20 temporary passes
held by Reception;
 Senior Internal Auditor;
Internal Audit Report – Data Centre Operations and Security
Risk Arising/ Recommendation Management Response Responsibility Recommendation
Consequence and Timescale Implemented
(Officer & Date)
In the absence of a We recommend that the The Computer Room Policy Service
documented backup Computer Room policy is and description of the data Operations
policy and procedure, expanded to include the back-up and restore service Manager,
there is an increased backup cycle, backup transit are given in two separate End November
risk that backups are and storage arrangements. documents. These can be 2014.
not performed in line combined, giving the back-up
with ICT’s and restore weight by placing
requirements. This it into policy.
may result in the loss
of data, interruption of
ICT services and
operational difficulties.
Unauthorised/inappro The access to all computer The current security group Technical
priate physical access rooms should be restricted used within the Door Access Services
to the computer room to and other who require Control System (Net2) to manager, end
may result in access to perform their cover the computer rooms is November
accidental or responsibilities. also shared with other duty 2014.
malicious damage to staff requiring access 'all
ICT equipment hours, all doors'.
resulting in loss of The access list should be
data, interruption of reviewed by management This is inappropriate, as
ICT services and on a regular basis to ensure some staff will require open
operational difficulties. that the access granted is access to most areas, but
valid. Proof of the review not the computer areas.
should be maintained.
S&CA have already arranged
with Facilities to create a

Ref. Priority Findings
 Audit assistant
 Two members of the
applications team;
 One staff member from
Adult Services &
Health;
 One staff member from
Children’s Services;
 Six temporary
contractors; and
 One leaver who has
not yet been removed.
We accept that part of the
issues arises due to Reception
issuing an ‘all hours all doors’
pass, that is out of the control
of ICT.
3 Medium Computer Room Access
Logging
The computer room policy
states that ‘access to the
central computer rooms must
be logged. For regular staff
this can be via the automated
Access Control System, for
other staff, this must be via an
electronic or manual booking
system administered centrally.
The 'booking system' should
Internal Audit Report – Data Centre Operations and Security
Risk Arising/ Recommendation
Consequence
Unauthorised/inappro Where non authorised staff
priate physical access require access to the
to the computer room computer room, they should
may result in be accompanied by a
accidental or member of the ICT team
malicious damage to and their access logged
ICT equipment (utilising an access log
resulting in loss of form).
data, interruption of
ICT services and The log should be reviewed
operational difficulties. by Management on a
regular basis (monthly), to
identify any unauthorised
access.
Management Response Responsibility Recommendation
and Timescale Implemented
(Officer & Date)
dedicated access group for
Computer rooms. This will
be used for appropriate staff
who require access to the
computer rooms only.
Access to the computer
rooms will be removed from
the 'all hours, all doors'
group.
Agreed, S&CA will create a Technical
manual logging process that Services
can be used to record manager, end
access for individuals that do November
not have access right to the 2014.
computer room within their
own responsibility.
Will record
 Date/time
 Who requires access
Reason for access
 Internal Audit Report – Data Centre Operations and Security

Ref. Priority Findings Risk Arising/ Recommendation Management Response Responsibility Recommendation
Consequence and Timescale Implemented
(Officer & Date)
show name of the person
accessing the computer room,
data and time from and until,
reason for access and detail of
work to be carried out’. We
noted that there is no ‘booking
system’ in place for visitors.

4 Low Computer Room Training
The computer room policy
states that ‘access is granted
once users have received
training’. There is currently no
proof of the training.
We understand that the training
is currently verbal and there is
an intention for ICT to
implement an online training
course going forward.
A lack of training may A formalised training S&CA are working in Service
result in staff not programme should be conjunction with Operations
understanding the developed, that includes Development and Training to Manager, and
controls appropriate details of the policies and derive an on-line Computer Development
for the computer procedures staff must Room Access course to be and Training
room. This may result follow, guidance on completed by staff before End December
in accidental or escalation and roles and being allowed access to the 2014.
malicious damage to responsibilities. computer rooms.
ICT equipment
resulting in loss of Evidence of a formal
data, interruption of training record should be
ICT services and maintained.
operational difficulties.

CO3: Management review of data centre access

5 Medium Access List Reviews
Access list reviews are
performed on an ad-hoc basis.
The last review was performed accidental or
in February 2014.
We noted that there are many
users on the access list that
should not have access to the
computer room. See CO2
Unauthorised/inappro We recommend that Agreed, this is good practice Service
priate physical access computer room access lists and will be scheduled within Operations
to the computer room are reviewed more formally the team. Manager,
may result in on a regular basis, and End November
proof of review is retained. 2014.
malicious damage to
IT equipment resulting As a minimum the
in loss of data, recommended guidance is
interruption of IT every 3 months.
services and
operational difficulties.

Ref. Priority Findings
above for details.
In addition there is no evidence
of the access review.
CO4: Data is backed up
6 Medium New Backup System
Netbackup, the backup system
currently in use by the Council,
was implemented five years
ago. Since the implementation,
there has been a 12% annual
growth of the data that requires
backup. The backup process
has thus become very slow
and inefficient.
We understand that a budget
for the implementation of a new
backup system has already
been approved and will form
part of the commissioning
process.
7 High Key System restores
We noted that restores for key
systems (SAP and Framework
i) are not performed on a
regular basis, and no restore
documentation is retained.
Refer to IT Disaster Recovery
Internal Audit Report – Data Centre Operations and Security
Risk Arising/ Recommendation Management Response Responsibility Recommendation
Consequence and Timescale Implemented
(Officer & Date)
In the event that a Implement a backup system The review of the back-up Service
disaster occurs and that is scalable and process will be done by HP Operations
data is not therefore can cope with the as the new Service Provider, Manager,
appropriately backed level of data growth within in conjunction with S&CA, to September
up, inability to recover the Council. achieve a solution that will be 2015.
the data may result in strategic for the needs of the
critical business This system should cope Council and in line with HP
functions not being with the demands of Council support model going forward
recovered in a timely, and projected changes to
accurate and occur.
controlled fashion.
This could result in
the loss of data,
interruption of ICT
services and
operational difficulties
Refer to IT Disaster Management should Refer to IT Disaster Refer to IT Refer to IT
Recovery report develop a policy on how Recovery report Disaster Disaster
often restores will be Recovery Recovery report
performed and retain all report
supporting documentation
 Internal Audit Report – Data Centre Operations and Security

Ref. Priority Findings Risk Arising/ Recommendation Management Response Responsibility Recommendation
Consequence and Timescale Implemented
(Officer & Date)
report, section ‘CO4: What
testing is performed to validate
IT Disaster Recovery, how the
outcomes are reported and
corrective actions
implemented’, issue 5.

CO6: Environmental controls are present to protect the servers

8 High Fire suppression system Refer to IT Disaster Refer to IT Disaster Refer to IT Disaster Refer to IT Refer to IT
Recovery report Recovery report Recovery report Disaster Disaster
There is no fire suppression Recovery Recovery report
system in place. report

For more details, refer to IT

Disaster Recovery report,
section ‘CO3: Whether
inclusion of end-to-end
recovery processes and the
identification of interfaces
between dependent and feeder
systems are understood within
the ITDR Plan(s)’, issue 3.

Key to Priorities:

High This is essential to provide satisfactory control of serious risk(s)

Medium This is important to provide satisfactory control of risk

Low This will improve internal control

 Internal Audit Report – Data Centre Operations and Security

Limitations relating to the Internal Auditor's work

The matters raised in this report are limited to those that came to our attention, from the relevant sample selected, during the course of our audit and to the
extent that every system is subject to inherent weaknesses such as human error or the deliberate circumvention of controls. Our assessment of the controls
which are developed and maintained by management is also limited to the time of the audit work and cannot take account of future changes in the control
environment.