Professional Documents
Culture Documents
SUBMITTED BY:
Rick Kolker
The City of Phoenix
e-mail => rkolker@ci.phoenix.az.us
Attached (or in the accompanying file) is an audit program that I use
as a starting point for examining data centers. It is only a
guideline and not intended to address all data center issues. I
modify this program for every review that I perform (i.e. depending on
scope, nature of data center, etc).
COMPUTER CENTER
DETAIL AUDIT STEPS
AUDIT OBJECTIVES: To determine that:
* personnel procedures and responsibiliites
address employee termination, crossfunctional and systems training
* program change controls are adequate to
ensure that changes are tested and
approved before being moved into production status
* backup procedures are adequate to minimize
business interruption and protect against
loss of data in the event of a disaster,
* physical security controls are adequate
to prevent unauthorized access to computer
center areas
* environmental controls are adequate to
minimize hardware/software losses from fire or
flood.
ADM. ADMINISTRATIVE SECTION
1. Complete the Quality Assurance Checklist.
2. Complete detailed audit program (See sections
below for audit steps)
3. Prepare Statement of Scope and Methods
memorandum
4. Obtain copies of any prior and/or related
audit reports
5. Document Opening Conference:
a. Notification Memo
b. Meeting Agenda
c. Management's Comments / Meeting Notes
6. Document Exit Conference
7. Document Closing Conference
8. Review of Applicable Laws, Rules, & Regulations
9. End of Survey Phase Commitment Letter
10.
Comparison of Budgeted Hours to Actual
Hours
11.
12.
13.
A.
B.
C.
D.
window?
f. Is computer site below ground level?
g. Is air conditioning outside air intake
at ground level?
h. Is direct access into computer site
possible from the outside or through a
public hallway?
i. Are keys to cabinets, equipment rooms,
and wiring closets held under proper
custody?
j. Are all telecommunication line junction
points (wiring and router closets, etc.)
secured to prevent tampering?
k. Is the computer center subject to
catastrophic mishap, i.e., aircraft collision,
etc.?
2. The adequacy of fire protection systems
should be determined by using the
following issues as a guideline.
a. Clear and adequate fire instructions
should be posted in strategic locations.
b. Fire alarm pull boxes and emergency
power switches should be clearly visible
and unobstructed.
c. The computer room should have an
automatic fire extinguishing system which
should be tested periodically by the
manufacturer or service representative.
d. The fire detection system should detect
smoke, excessive heat or combustible
fumes.
e. The detectors should be located in the
ceiling air ducts and beneath the
raised flooring. Detectors should be
tested frequently and protected by a
backup power supply.
f. When the fire alarm is activated, it
should sound outside the computer room
area at a guard station and a local fire
station or emergency control center.
Data Center personnel should be able
to identify the sound of the fire alarm.
g. What are the exposures to flooding? Would
a burst pipe or rising river cause
damage?
h. The computer room should be kept
clean at all times.
3. The environmental equipment and controls
should be adequate to protect the
computer hardware from damage. Use the
following areas as a guideline in
determining adequacy.
BACKUP
1. Determine that system and data file backup
procedures are adequate to minimize
recovery time and or loss of data.
2. Determine whether backups are maintained
offsite.
3. Identify the backup power supplies/equipment
relating to the following areas:
a. Emergency backup lights
b. Computer systems
4. Determine wheter the backup power is of
adequate size to power all equipment
relying on it, including those not within
the scope of this audit.