UC Core Audit Program

Data Center Operations & OS Software

i. Audit Approach
This program will be used to audit Data Center Operations using a risk based approach.
Most Campus Data Centers are responsible for the management, physical controls, and
operation of enterprise IT systems. Account management may be performed by a help
desk that is not directly part of the Data Center. The Data Center is also normally
responsible for the installation and maintenance of the operating systems for the computers
used to process production IT systems. Database and application administration may or
may not be performed by Data Center staff. If any core Data Center functions for systems
that contain restricted data are performed remotely it must be confirmed they are using
secure methods of connecting with systems in the Data Center. A system wide group of
oint Data Center Managers meets to discuss Data Center related topics, shares best
practices and works together on solutions to common problems. They might be a
resource during this audit and they can be contacted through their web site hosted at
!C"#, http$%%&dcmg.isc.ucsb.edu%.
ii. Preliminary Survey and
Ris Assessment
The general o'er'iew will include inter'iews of department management and key
personnel( e'aluation of policies and procedures associated with Data Center processes,
in'entory of compliance re)uirements( consideration of key operational aspects( and an
assessment of the information systems en'ironment. *rior audits should be re'iewed to
determine impact, if any. If the data center was re'iewed, as part of the system wide I"+,
self assessment, that documentation should be obtained and re'iewed as one of the first
steps in the audit. During the o'er'iew, a general understanding of the management
structure, compliance re)uirements, financial issues, daily and routine operations, and
efficiency and effecti'eness of the operation will be obtained -or updated..
As needed, the general o'er'iew will incorporate the use of internal control
)uestionnaires, process flowcharts, and an assessment of the maturity of the processes and
internal controls.
A. The following table summari/es audit ob&ecti'es and corresponding high+le'el risks
to be considered during the preliminary sur'ey.
Audit Objective Areas of Risk
Obtain an understanding of significant
processes and practices supporting the
Data Center operations, specifically
addressing the following components$
Management philosophy, operating
style, and risk assessment practices
including$
o Awareness of and compliance
with applicable laws regulations
and policies. Note: if your
Data Center management systems
may be ineffecti'e and inefficient
due to misalignment with their
mission and not capable of meeting
the business ob&ecti'es.
A formal risk assessment may not
ha'e been performed.
Organi/ational structure may be
inappropriate for achie'ing business
ob&ecti'es.
Data Center Operations Audit Program updated !"#!!#$% Page ! of &
UC Core Audit Program
Data Center Operations & OS Software
campus performed an IS-3 self
assessment of the Data Center
this information may be used
to help determine compliance
with that policy.
o *lanning and management of
Data Center Operations
o Change Management
o 0ormal 1isk assessment
practices and procedures
o 2fficient and effecti'e
operations
Organi/ational structure,
go'ernance and delegations of
authority and responsibility
*ositions of accountability for
financial and operational results
*rocess strengths -best practices.,
weaknesses, and mitigating
controls
Insufficient separation of duties may
increase risks of errors or
inappropriate actions.
2)uipment and software may be
inappropriate for achie'ing the
business ob&ecti'es
Operating systems may not be
properly configured or maintained
-patched. resulting in insecure
systems.
!ser permissions may not be
assigned on the principle of 3least
pri'ileges.4
"uperuser accounts may be used
inappropriately. I"+, states
3*ersonnel who re)uire pri'ileged
accounts should also ha'e non+
pri'ileged accounts to use when not
performing system administration
tasks and should be instructed not to
use their pri'ileged accounts for
non+authori/ed purposes.
"uperusers may be able to alter the
security and audit logs of their own
acti'ities.
"ystem and security logs may not be
re'iewed by appropriate staff.
5ew systems may not be ade)uately
scanned for 'ulnerabilities and
unnecessary ser'ices before being
placed in the production
en'ironment.
#. *reliminary "ur'ey and 1isk Assessment procedure steps$
1. Inter'iew the department director, Campus IT "ecurity 26pert, and key
managers to identify and assess their philosophy and operating style, regular
channels of communication, and risk assessment processes.
2. 7ain an understanding of data center operational processes by re'iewing
written procedure manuals. If written procedures do not e6ist or are not
followed flowcharting key processes may be needed to identify process
strengths, weaknesses, and mitigating controls.
3. Contact the person on your campus that is responsible for the system+wide I"+
, self assessments and determine if a self assessment was done for the Data
Center. If so, obtain a copy of this assessment. This assessment may pro'ide
much of the background information and answer many of the )uestions in the
Data Center Operations Audit Program updated !"#!!#$% Page " of &
UC Core Audit Program
Data Center Operations & OS Software
IC8. If the Data Center was not assessed as part of this e6ercise an
e6planation should be obtained and potentially written up as an audit finding.
4. Obtain the department9s organi/ation chart and management reports.
5. Inter'iew select staff members to obtain the staff perspecti'e. During all
inter'iews, solicit input on concerns or areas of risk.
6. 2'aluate the organi/ational structure to assure the proper accountability and
separation of duties e6ists. -ob descriptions, procedure manuals, and%or
inter'iews may be needed to accurately access separation of duties..
7. Obtain and e'aluate incident reporting and response procedures and tracking.
8. Obtain a copy of the emergency response plan.
9. Determine who is responsible for declaring an emergency and in'oking the
emergency response plan.
10. Identify the key Data Center functions, acti'ities, ser'ices, and missions.
"ome data centers may still run mainframe systems and engage in program
de'elopment, batch processing, ha'e input and output products and controls
and related internal controls, like control totals, etc. Other data centers may
primarily pro'ide the ser'ice of managing, maintaining, monitoring, and
securing IT systems that are used by application de'elopers and administrators
who are not part of the Data Center staff. !nderstanding the functions and
ser'ices pro'ided by your Data Center will determine how detailed testing
should proceed. Most all Data Centers engage in the following acti'ities$
a. *atching operating systems, data bases, and applications. The patching
process may also in'ol'e testing patches in a test or 8A en'ironment
prior to apply patches to production systems.
b. "ecurity monitoring and incident reporting
c. Operating system software administration including internal O"
account management.
d. Administrati'e planning and support including capacity planning,
pre'entati'e maintenance and replacement.
e. Decommissioning procedures to assure sensiti'e or restricted data are
remo'ed or destroyed before hardware is surplused or otherwise
disposed.
f. #ackup and reco'ery processes including routine backups, storage and
reco'ery planning, and testing.
g. If your Data Center is running mainframe systems consider input%output
testing including controls totals, 1AC0 audits, and others as
appropriate. Detailed mainframe audit programs to address batch
processing and other acti'ities are a'ailable from www.isaca.org and
other web sources.
h. If your Data Center is using 'irtuali/ation in a :indows or other
en'ironment "A5" publishes top ten mistakes lists and detailed audit
programs. De'elop specific audit tests as needed to fit your uni)ue
en'ironment.
11. Determine through inter'iews and 'isual inspection the physical security
and en'ironmental controls in the Data Center.
12. Determine if the Data Center is using any standards or best practices for
managing IT ser'ices. The system+wide oint Data Center Managers,
referenced abo'e, uses Information Technology Infrastructure
Data Center Operations Audit Program updated !"#!!#$% Page ' of &
UC Core Audit Program
Data Center Operations & OS Software
Lirary !ITIL" as an integrate#$ %rocess&ase#$ est %ractice
frame'or( for managing IT ser)ices. *etermine if your
cam%us has a#o%te# this$ or another stan#ar#. If so$
stan#ar#s or mo#els may %ro)i#e the asis for #etaile#
testing.
13. Obtain and re'iew a list of all systems in the Data Center. The list should
include the purpose of the system, the platform it is running on, and any
dependencies it may ha'e on other systems or resources.
14. 1e'iew management9s monitoring reports and super'ision of the data
center staff and%or operations.
15. De'elop detailed test ob&ecti'es and procedures, and conduct detailed
testing as appropriate based on auditor &udgment.

#. 0ollowing completion of the preliminary sur'ey, a high+le'el risk assessment should
be performed and documented in a risk and controls matri6 workpaper.
iii. (inancial )anagement
A. The following table summari/es audit ob&ecti'es and corresponding financial
management risks.
Audit Objective Areas of Risk
2'aluate the ade)uacy of financial
resources, and appropriate financial
planning consistent with the ob&ecti'es of
the Data Center. Include the following
components$
Determine how Data Center
budgets are managed and e6penses
tracked against budgeted amounts.
Determine if risk analysis is part of
budget allocation process.
IT e)uipment may be inade)uate for
the needs of its customers.
0unds may not be budgeted for
e)uipment replacement as re)uired
based on the e6pected useful life of
the e)uipment.
*urchase 'ersus lease decisions may
be flawed due to incorrect financial
assumptions
IT go'ernance may not pro'ide
ade)uate consideration of IT ser'ice
le'els and IT security.
#. 0inancial Management *rocedure "teps.
;. Identify budgetary processes and reports used by the department.
Data Center Operations Audit Program updated !"#!!#$% Page * of &
UC Core Audit Program
Data Center Operations & OS Software
<. 1e'iew and discuss budgets and financial monitoring with responsible
managers. Determine if IT risk assessment and potential impacts are
considered in the budgeting process.
,. Determine if the department is funded sufficiently to ade)uately pro'ide
ser'ices and maintain security at an appropriate le'el.
=. Determine if an e)uipment replacement life cycle is maintained and funded.
iv. Compliance
A. The following table summari/es audit ob&ecti'es and corresponding risks regarding
compliance with policies and procedures, and regulatory re)uirements.
Audit Objective Areas of Risk
2'aluate compliance with the following
re)uirements$
!CO* *olicies
I"+,
I"+;>
I"+;;
I"+;<
Other #usiness and 0inancial
#ulletins and other !ni'ersity
policies
2lectronic communications
policy
Applicable "tate and 0ederal laws
and regulations including$
021*A
7ramm ?each #liley -7?#A.
@I*AA
"# ;,AB
2'aluate ade)uacy and compliance with
local policies, standards, and guidelines
5on+compliance could result in the
fines, penalties, and sanctions.
*oor security or poor performance
from lack of ade)uate guidance
policy.
Delegations of authority may be
inappropriate.
5on+compliance of local processes
with !ni'ersity re)uirements may
negati'ely impact reliability and
security of the systems.
#. Compliance Testing *rocedure "teps
.
;. Obtain an understanding of applicable state or federal regulations.
<. Determine whether state or federal regulations apply to system and data in the
Data Center -e.g., @I*AA, 021*A, 7?#A, etc...
,. Obtain an understanding of applicable !ni'ersity policies
=. Determine how compliance with applicable policies and state or federal laws or
regulations is achie'ed and documented.
v. Operational +ffectiveness
and +fficiency ,-$ hrs .
!/01
Data Center Operations Audit Program updated !"#!!#$% Page - of &
UC Core Audit Program
Data Center Operations & OS Software
A. The following table summari/es audit ob&ecti'es and corresponding risks
regarding operational effecti'eness and efficiency.
Audit Objective Areas of Risk
2'aluate the ade)uacy of operational
effecti'eness and efficiency consistent with
the ob&ecti'es of Data Center
management. Include the following
components$
Ade)uacy of Data Center
personnel skill and training
"elf+e'aluation and efforts for
continuous impro'ement
"peciali/ation of work C
centrali/ed 's. decentrali/ed
Appropriate management of
contracts
*rocess in e'aluating the needs
for new and%or upgrades to
hardware, software, and facilities
Operation effecti'eness and
efficiency could be compromised
due to poor system performance
?ack of proper planning could allow
the condition of inade)uate capacity
to de'elop
"elf+e'aluation and impro'ement
processes may not be aligned with
the directi'es of management
"er'ice le'els may not satisfy the
needs%re)uirements of the Data
Center and its customers
*aying more for ser'ices when less
e6pensi'e alternati'es would satisfy
needs
#. Operational 2ffecti'eness and 2fficiency *rocedure "tep
;. Determine if the Data Center has ser'ice le'el agreements with the clients it
ser'es. If so, do they measure themsel'es for compliance with the agreementD
If needed, sur'ey clients for concerns.
<. Determine if use of contractors is appropriate and cost effecti'e when Data
Center staff do not ha'e the necessary skills, knowledge or abilities.
,. Determine how senior management monitors Data Center effecti'eness and
efficiency. Are their measures accurate and sufficient to make good business
decisionsD

Data Center Operations Audit Program updated !"#!!#$% Page & of &