i. Audit Approach This program will be used to audit Data Center Operations using a risk based approach. Most Campus Data Centers are responsible for the management, physical controls, and operation of enterprise IT systems. Account management may be performed by a help desk that is not directly part of the Data Center. The Data Center is also normally responsible for the installation and maintenance of the operating systems for the computers used to process production IT systems. Database and application administration may or may not be performed by Data Center staff. If any core Data Center functions for systems that contain restricted data are performed remotely it must be confirmed they are using secure methods of connecting with systems in the Data Center. A system wide group of oint Data Center Managers meets to discuss Data Center related topics, shares best practices and works together on solutions to common problems. They might be a resource during this audit and they can be contacted through their web site hosted at !C"#, http$%%&dcmg.isc.ucsb.edu%. ii. Preliminary Survey and Ris Assessment The general o'er'iew will include inter'iews of department management and key personnel( e'aluation of policies and procedures associated with Data Center processes, in'entory of compliance re)uirements( consideration of key operational aspects( and an assessment of the information systems en'ironment. *rior audits should be re'iewed to determine impact, if any. If the data center was re'iewed, as part of the system wide I"+, self assessment, that documentation should be obtained and re'iewed as one of the first steps in the audit. During the o'er'iew, a general understanding of the management structure, compliance re)uirements, financial issues, daily and routine operations, and efficiency and effecti'eness of the operation will be obtained -or updated.. As needed, the general o'er'iew will incorporate the use of internal control )uestionnaires, process flowcharts, and an assessment of the maturity of the processes and internal controls. A. The following table summari/es audit ob&ecti'es and corresponding high+le'el risks to be considered during the preliminary sur'ey. Audit Objective Areas of Risk Obtain an understanding of significant processes and practices supporting the Data Center operations, specifically addressing the following components$ Management philosophy, operating style, and risk assessment practices including$ o Awareness of and compliance with applicable laws regulations and policies. Note: if your Data Center management systems may be ineffecti'e and inefficient due to misalignment with their mission and not capable of meeting the business ob&ecti'es. A formal risk assessment may not ha'e been performed. Organi/ational structure may be inappropriate for achie'ing business ob&ecti'es. Data Center Operations Audit Program updated !"#!!#$% Page ! of & UC Core Audit Program Data Center Operations & OS Software campus performed an IS-3 self assessment of the Data Center this information may be used to help determine compliance with that policy. o *lanning and management of Data Center Operations o Change Management o 0ormal 1isk assessment practices and procedures o 2fficient and effecti'e operations Organi/ational structure, go'ernance and delegations of authority and responsibility *ositions of accountability for financial and operational results *rocess strengths -best practices., weaknesses, and mitigating controls Insufficient separation of duties may increase risks of errors or inappropriate actions. 2)uipment and software may be inappropriate for achie'ing the business ob&ecti'es Operating systems may not be properly configured or maintained -patched. resulting in insecure systems. !ser permissions may not be assigned on the principle of 3least pri'ileges.4 "uperuser accounts may be used inappropriately. I"+, states 3*ersonnel who re)uire pri'ileged accounts should also ha'e non+ pri'ileged accounts to use when not performing system administration tasks and should be instructed not to use their pri'ileged accounts for non+authori/ed purposes. "uperusers may be able to alter the security and audit logs of their own acti'ities. "ystem and security logs may not be re'iewed by appropriate staff. 5ew systems may not be ade)uately scanned for 'ulnerabilities and unnecessary ser'ices before being placed in the production en'ironment. #. *reliminary "ur'ey and 1isk Assessment procedure steps$ 1. Inter'iew the department director, Campus IT "ecurity 26pert, and key managers to identify and assess their philosophy and operating style, regular channels of communication, and risk assessment processes. 2. 7ain an understanding of data center operational processes by re'iewing written procedure manuals. If written procedures do not e6ist or are not followed flowcharting key processes may be needed to identify process strengths, weaknesses, and mitigating controls. 3. Contact the person on your campus that is responsible for the system+wide I"+ , self assessments and determine if a self assessment was done for the Data Center. If so, obtain a copy of this assessment. This assessment may pro'ide much of the background information and answer many of the )uestions in the Data Center Operations Audit Program updated !"#!!#$% Page " of & UC Core Audit Program Data Center Operations & OS Software IC8. If the Data Center was not assessed as part of this e6ercise an e6planation should be obtained and potentially written up as an audit finding. 4. Obtain the department9s organi/ation chart and management reports. 5. Inter'iew select staff members to obtain the staff perspecti'e. During all inter'iews, solicit input on concerns or areas of risk. 6. 2'aluate the organi/ational structure to assure the proper accountability and separation of duties e6ists. -ob descriptions, procedure manuals, and%or inter'iews may be needed to accurately access separation of duties.. 7. Obtain and e'aluate incident reporting and response procedures and tracking. 8. Obtain a copy of the emergency response plan. 9. Determine who is responsible for declaring an emergency and in'oking the emergency response plan. 10. Identify the key Data Center functions, acti'ities, ser'ices, and missions. "ome data centers may still run mainframe systems and engage in program de'elopment, batch processing, ha'e input and output products and controls and related internal controls, like control totals, etc. Other data centers may primarily pro'ide the ser'ice of managing, maintaining, monitoring, and securing IT systems that are used by application de'elopers and administrators who are not part of the Data Center staff. !nderstanding the functions and ser'ices pro'ided by your Data Center will determine how detailed testing should proceed. Most all Data Centers engage in the following acti'ities$ a. *atching operating systems, data bases, and applications. The patching process may also in'ol'e testing patches in a test or 8A en'ironment prior to apply patches to production systems. b. "ecurity monitoring and incident reporting c. Operating system software administration including internal O" account management. d. Administrati'e planning and support including capacity planning, pre'entati'e maintenance and replacement. e. Decommissioning procedures to assure sensiti'e or restricted data are remo'ed or destroyed before hardware is surplused or otherwise disposed. f. #ackup and reco'ery processes including routine backups, storage and reco'ery planning, and testing. g. If your Data Center is running mainframe systems consider input%output testing including controls totals, 1AC0 audits, and others as appropriate. Detailed mainframe audit programs to address batch processing and other acti'ities are a'ailable from www.isaca.org and other web sources. h. If your Data Center is using 'irtuali/ation in a :indows or other en'ironment "A5" publishes top ten mistakes lists and detailed audit programs. De'elop specific audit tests as needed to fit your uni)ue en'ironment. 11. Determine through inter'iews and 'isual inspection the physical security and en'ironmental controls in the Data Center. 12. Determine if the Data Center is using any standards or best practices for managing IT ser'ices. The system+wide oint Data Center Managers, referenced abo'e, uses Information Technology Infrastructure Data Center Operations Audit Program updated !"#!!#$% Page ' of & UC Core Audit Program Data Center Operations & OS Software Lirary !ITIL" as an integrate#$ %rocess&ase#$ est %ractice frame'or( for managing IT ser)ices. *etermine if your cam%us has a#o%te# this$ or another stan#ar#. If so$ stan#ar#s or mo#els may %ro)i#e the asis for #etaile# testing. 13. Obtain and re'iew a list of all systems in the Data Center. The list should include the purpose of the system, the platform it is running on, and any dependencies it may ha'e on other systems or resources. 14. 1e'iew management9s monitoring reports and super'ision of the data center staff and%or operations. 15. De'elop detailed test ob&ecti'es and procedures, and conduct detailed testing as appropriate based on auditor &udgment.
#. 0ollowing completion of the preliminary sur'ey, a high+le'el risk assessment should be performed and documented in a risk and controls matri6 workpaper. iii. (inancial )anagement A. The following table summari/es audit ob&ecti'es and corresponding financial management risks. Audit Objective Areas of Risk 2'aluate the ade)uacy of financial resources, and appropriate financial planning consistent with the ob&ecti'es of the Data Center. Include the following components$ Determine how Data Center budgets are managed and e6penses tracked against budgeted amounts. Determine if risk analysis is part of budget allocation process. IT e)uipment may be inade)uate for the needs of its customers. 0unds may not be budgeted for e)uipment replacement as re)uired based on the e6pected useful life of the e)uipment. *urchase 'ersus lease decisions may be flawed due to incorrect financial assumptions IT go'ernance may not pro'ide ade)uate consideration of IT ser'ice le'els and IT security. #. 0inancial Management *rocedure "teps. ;. Identify budgetary processes and reports used by the department. Data Center Operations Audit Program updated !"#!!#$% Page * of & UC Core Audit Program Data Center Operations & OS Software <. 1e'iew and discuss budgets and financial monitoring with responsible managers. Determine if IT risk assessment and potential impacts are considered in the budgeting process. ,. Determine if the department is funded sufficiently to ade)uately pro'ide ser'ices and maintain security at an appropriate le'el. =. Determine if an e)uipment replacement life cycle is maintained and funded. iv. Compliance A. The following table summari/es audit ob&ecti'es and corresponding risks regarding compliance with policies and procedures, and regulatory re)uirements. Audit Objective Areas of Risk 2'aluate compliance with the following re)uirements$ !CO* *olicies I"+, I"+;> I"+;; I"+;< Other #usiness and 0inancial #ulletins and other !ni'ersity policies 2lectronic communications policy Applicable "tate and 0ederal laws and regulations including$ 021*A 7ramm ?each #liley -7?#A. @I*AA "# ;,AB 2'aluate ade)uacy and compliance with local policies, standards, and guidelines 5on+compliance could result in the fines, penalties, and sanctions. *oor security or poor performance from lack of ade)uate guidance policy. Delegations of authority may be inappropriate. 5on+compliance of local processes with !ni'ersity re)uirements may negati'ely impact reliability and security of the systems. #. Compliance Testing *rocedure "teps . ;. Obtain an understanding of applicable state or federal regulations. <. Determine whether state or federal regulations apply to system and data in the Data Center -e.g., @I*AA, 021*A, 7?#A, etc... ,. Obtain an understanding of applicable !ni'ersity policies =. Determine how compliance with applicable policies and state or federal laws or regulations is achie'ed and documented. v. Operational +ffectiveness and +fficiency ,-$ hrs . !/01 Data Center Operations Audit Program updated !"#!!#$% Page - of & UC Core Audit Program Data Center Operations & OS Software A. The following table summari/es audit ob&ecti'es and corresponding risks regarding operational effecti'eness and efficiency. Audit Objective Areas of Risk 2'aluate the ade)uacy of operational effecti'eness and efficiency consistent with the ob&ecti'es of Data Center management. Include the following components$ Ade)uacy of Data Center personnel skill and training "elf+e'aluation and efforts for continuous impro'ement "peciali/ation of work C centrali/ed 's. decentrali/ed Appropriate management of contracts *rocess in e'aluating the needs for new and%or upgrades to hardware, software, and facilities Operation effecti'eness and efficiency could be compromised due to poor system performance ?ack of proper planning could allow the condition of inade)uate capacity to de'elop "elf+e'aluation and impro'ement processes may not be aligned with the directi'es of management "er'ice le'els may not satisfy the needs%re)uirements of the Data Center and its customers *aying more for ser'ices when less e6pensi'e alternati'es would satisfy needs #. Operational 2ffecti'eness and 2fficiency *rocedure "tep ;. Determine if the Data Center has ser'ice le'el agreements with the clients it ser'es. If so, do they measure themsel'es for compliance with the agreementD If needed, sur'ey clients for concerns. <. Determine if use of contractors is appropriate and cost effecti'e when Data Center staff do not ha'e the necessary skills, knowledge or abilities. ,. Determine how senior management monitors Data Center effecti'eness and efficiency. Are their measures accurate and sufficient to make good business decisionsD
Data Center Operations Audit Program updated !"#!!#$% Page & of &