Professional Documents
Culture Documents
Data Centre Operations Final V3
Data Centre Operations Final V3
Internal Audit
Report
Data Centre
Operations and
Security
Document Details:
Reference: Report nos from monitoring spreadsheet/2013.14
Senior Manager, Internal Audit & Assurance: ext. 6567
Engagement Manager:
Auditor:
This report is not for reproduction publication or disclosure by any means to unauthorised persons.
Page 1
Internal Audit Report – Data Centre Operations and Security
1. EXECUTIVE SUMMARY
1.1 INTRODUCTION
As part of the 2014/15 Internal Audit Plan an audit of the ‘Data centre operations and
security’ was carried out.
The objective of this review is to evaluate the security of the data centre, in particular
the following areas:
data centre policies and procedures are defined, documented, and
communicated for all key functions;
Council systems are secured to prevent unauthorised access (including 3rd
party access);
access to the data centre is monitored and reviewed, and access rights are
periodically reviewed;
data is backed up from servers held at the civic data centre;
data transferred off site is secured at all times and appropriate controls are in
place to monitor the location of the data;
environmental controls are present to protect the servers from fire, electrical and
water damage;
capacity for the data centre is adequate for the server rooms equipment and
storage needs;
environmental equipment is routinely maintained in line with manufacturer
recommended schedules; and
backup electricity supplies are in place to ensure systems and services are not
affected in the event of a power outage.
There are some areas that are appropriately managed and in line with acceptable good
practice, including:
A computer room policy has been developed and is reviewed on an annual
basis;
Backup schedules are in place and failed backups are monitored and actioned
by ICT staff;
An offsite location is used for storage of backup tapes; and
Storage capacity for the data centre is considered adequate based on the plans
of ICT.
However, we also identified a number of areas that require improvement, and have
thus led to the ‘limited assurance’ rating:
Page 2
Internal Audit Report – Data Centre Operations and Security
Page 3
Internal Audit Report – Data Centre Operations and Security
2. SUMMARY OF CONCLUSIONS
2.1 The conclusion for each control objective evaluated as part of this audit was as follows:
2.2 The recommendations arising from the review are ranked according to their level of
priority as detailed at the end of the report within the detailed audit findings.
Recommendations are also colour coded according to their level of priority with the
highest priorities highlighted in red, medium priorities in amber and lower priorities in
green. In addition, the detailed audit findings include columns for the management
response, the responsible officer and the time scale for implementation of all agreed
recommendations.
2.3 Where high recommendations are made within this report it would be expected that
they should be implemented within three months from the date of the report to ensure
that the major areas of risk have either been resolved or that mitigating controls have
been put in place and that medium and low recommendations will be implemented
within six and nine months respectively.
Page 4
Internal Audit Report – Data Centre Operations and Security
4. ACKNOWLEDGEMENTS
Audit would like to thank all involved for their assistance during this review.
Page 5
Internal Audit Report – Data Centre Operations and Security
Ref. Priority Findings Risk Arising/ Recommendation Management Response Responsibility Recommendation
Consequence and Timescale Implemented
(Officer & Date)
Audit assistant dedicated access group for
Two members of the Computer rooms. This will
applications team; be used for appropriate staff
One staff member from who require access to the
Adult Services & computer rooms only.
Health;
One staff member from Access to the computer
Children’s Services; rooms will be removed from
Six temporary the 'all hours, all doors'
contractors; and group.
One leaver who has
not yet been removed.
3 Medium Computer Room Access Unauthorised/inappro Where non authorised staff Agreed, S&CA will create a Technical
Logging priate physical access require access to the manual logging process that Services
to the computer room computer room, they should can be used to record manager, end
The computer room policy may result in be accompanied by a access for individuals that do November
states that ‘access to the accidental or member of the ICT team not have access right to the 2014.
central computer rooms must malicious damage to and their access logged computer room within their
be logged. For regular staff ICT equipment (utilising an access log own responsibility.
this can be via the automated resulting in loss of form).
Access Control System, for data, interruption of Will record
other staff, this must be via an ICT services and The log should be reviewed Date/time
electronic or manual booking operational difficulties. by Management on a Who requires access
system administered centrally. regular basis (monthly), to Reason for access
identify any unauthorised
The 'booking system' should access.
Internal Audit Report – Data Centre Operations and Security
Ref. Priority Findings Risk Arising/ Recommendation Management Response Responsibility Recommendation
Consequence and Timescale Implemented
(Officer & Date)
show name of the person
accessing the computer room,
data and time from and until,
reason for access and detail of
work to be carried out’. We
noted that there is no ‘booking
system’ in place for visitors.
4 Low Computer Room Training A lack of training may A formalised training S&CA are working in Service
result in staff not programme should be conjunction with Operations
The computer room policy understanding the developed, that includes Development and Training to Manager, and
states that ‘access is granted controls appropriate details of the policies and derive an on-line Computer Development
once users have received for the computer procedures staff must Room Access course to be and Training
training’. There is currently no room. This may result follow, guidance on completed by staff before End December
proof of the training. in accidental or escalation and roles and being allowed access to the 2014.
malicious damage to responsibilities. computer rooms.
We understand that the training ICT equipment
is currently verbal and there is resulting in loss of Evidence of a formal
an intention for ICT to data, interruption of training record should be
implement an online training ICT services and maintained.
course going forward. operational difficulties.
Ref. Priority Findings Risk Arising/ Recommendation Management Response Responsibility Recommendation
Consequence and Timescale Implemented
(Officer & Date)
above for details.
7 High Key System restores Refer to IT Disaster Management should Refer to IT Disaster Refer to IT Refer to IT
Recovery report develop a policy on how Recovery report Disaster Disaster
We noted that restores for key often restores will be Recovery Recovery report
systems (SAP and Framework performed and retain all report
i) are not performed on a supporting documentation
regular basis, and no restore
documentation is retained.
Ref. Priority Findings Risk Arising/ Recommendation Management Response Responsibility Recommendation
Consequence and Timescale Implemented
(Officer & Date)
report, section ‘CO4: What
testing is performed to validate
IT Disaster Recovery, how the
outcomes are reported and
corrective actions
implemented’, issue 5.
Key to Priorities:
The matters raised in this report are limited to those that came to our attention, from the relevant sample selected, during the course of our audit and to the
extent that every system is subject to inherent weaknesses such as human error or the deliberate circumvention of controls. Our assessment of the controls
which are developed and maintained by management is also limited to the time of the audit work and cannot take account of future changes in the control
environment.