EXAMINING DATA CENTERS

SUBMITTED BY:
Rick Kolker
The City of Phoenix
e-mail => rkolker@ci.phoenix.az.us
Attached (or in the accompanying file) is an audit program that I use
as a starting point for examining data centers. It is only a
guideline and not intended to address all data center issues. I
modify this program for every review that I perform (i.e. depending on
scope, nature of data center, etc).

COMPUTER CENTER
DETAIL AUDIT STEPS
AUDIT OBJECTIVES: To determine that:
* personnel procedures and responsibiliites
address employee termination, crossfunctional and systems training
* program change controls are adequate to
ensure that changes are tested and
approved before being moved into production status
* backup procedures are adequate to minimize
business interruption and protect against
loss of data in the event of a disaster,
* physical security controls are adequate
to prevent unauthorized access to computer
center areas
* environmental controls are adequate to
minimize hardware/software losses from fire or
flood.
ADM. ADMINISTRATIVE SECTION
1. Complete the Quality Assurance Checklist.
2. Complete detailed audit program (See sections
below for audit steps)
3. Prepare Statement of Scope and Methods
memorandum
4. Obtain copies of any prior and/or related
audit reports
5. Document Opening Conference:
a. Notification Memo
b. Meeting Agenda
c. Management's Comments / Meeting Notes
6. Document Exit Conference
7. Document Closing Conference
8. Review of Applicable Laws, Rules, & Regulations
9. End of Survey Phase Commitment Letter
10.
Comparison of Budgeted Hours to Actual
Hours

11.
12.
13.
A.

Document, as necessary, any Notes for Future Audits

NOT USED (NO WORKPAPER CROSS-REFERENCE)
Prepare a Draft Audit Report documenting
audit observations and any recommendations.

ORGANIZATIONAL STRUCTURE / SYSTEM OVERVIEW,

DOCUMENTATION, & TRAINING
1. Document organizational structure
a. Identify those positions responsible
for maintaining the programs, backing-up
the system / data files, and using the
various computer center systems. If
necessary, review the written job descriptions
for each functional duty described in the
organization chart.
b. Determine whether provisions are made for
backup personnel in key positions?
c. Determine if termination procedures are adequate:
(1) The employee's I.D. badge should be
collected when he or she is terminated.
(2) Passwords that the terminating employee
was privy to should be removed or changed.
(3) His or her keys should be collected and/or
locks be changed.
(4) Is there a termination check out briefing
session/procedure?
d. Determine if adequate system training and
supervision is provided to the employees using
the system.
2. Determine whether vendor service personnel are
supervised while on site?
3. Obtain or document an overview of the
Information Systems (Including hardware
resources, software, support/design staff,
and users) in the Computer Center
a. Determine the overall criticalness of each
major system identified
b. On dial-in lines does the security system
include call-back features or some
other means of control to ensure authorized access?
4. Determine if written system operation
procedures exist (especially for start-up,
shut-down, file maintenance, and preventive maintenance).

B.

PROGRAM CHANGE CONTROL MANAGEMENT

1. Obtain copies of the problem and change
control procedures. Verify that
changes must go through this process
and are properly approved.
2. Determine whether the procedures provide
for an adequate separation of
program changes and production data

C.

COMPUTER CENTER OPERATIONS

1. Performance
a. Examine utilization reports, determine
the times of peak resource demand
within the processing day. Determine
how Computer Center management
reacts to equipment utilization information.
b. Determine whether capacity planning
(processor, memory, channels, disk,
etc.) performed, are consistent with,
and integrated into strategic long-range
plans
c. Determine whether performance measurements
are in place
d. Determine whether system downtime is
recorded or tracked.
2. Preventative Maintenance
a. Interview employees and/or review vendor
maintenance agreements to
identify the responsibilities for
preventive maintenance. Determine whether
preventive maintenance is performed as
prescribed, e.g., review preventive
maintenance logs

D.

PHYSICAL SECURITY / ENVIRONMENTAL CONTROLS

NOTE: A negative response to any of the
questions in section D & E does not
necessarily represent a significant control
weakness. The environment should be
evaluated as a whole and an overall determination
made of its internal controls.
1. Determine that physical security
policies and procedures are adequate by
evaluating controls through interview
and observation. Use the following audit
steps/questions as a guideline in determining
adequacy.
a. Assure that there are written procedures
in effect which prevent unauthorized
persons from gaining access to computer
facilities.
b. Assure that authorized personnel are
specifically defined in operation
standards and/or procedures.
c. Observe at several different times
whether only authorized personnel are in
the processing area.
d. Determine whether the computer room
facilities are restricted by the use of
keys, badges or other automated security devices.
e. Does the computer site have a ground floor
location and possibly a showcase

window?
f. Is computer site below ground level?
g. Is air conditioning outside air intake
at ground level?
h. Is direct access into computer site
possible from the outside or through a
public hallway?
i. Are keys to cabinets, equipment rooms,
and wiring closets held under proper
custody?
j. Are all telecommunication line junction
points (wiring and router closets, etc.)
secured to prevent tampering?
k. Is the computer center subject to
catastrophic mishap, i.e., aircraft collision,
etc.?
2. The adequacy of fire protection systems
should be determined by using the
following issues as a guideline.
a. Clear and adequate fire instructions
should be posted in strategic locations.
b. Fire alarm pull boxes and emergency
power switches should be clearly visible
and unobstructed.
c. The computer room should have an
automatic fire extinguishing system which
should be tested periodically by the
manufacturer or service representative.
d. The fire detection system should detect
smoke, excessive heat or combustible
fumes.
e. The detectors should be located in the
ceiling air ducts and beneath the
raised flooring. Detectors should be
tested frequently and protected by a
backup power supply.
f. When the fire alarm is activated, it
should sound outside the computer room
area at a guard station and a local fire
station or emergency control center.
Data Center personnel should be able
to identify the sound of the fire alarm.
g. What are the exposures to flooding? Would
a burst pipe or rising river cause
damage?
h. The computer room should be kept
clean at all times.
3. The environmental equipment and controls
should be adequate to protect the
computer hardware from damage. Use the
following areas as a guideline in
determining adequacy.

a. Ventilation and air conditioning should

be adequate to maintain appropriate
temperature level specified by the manufacturer.
b. Recording thermometers and humidity
indicators should be located so the
readings can be obtained easily.
These instruments should be monitored on
a routine basis by a trained person.
c. The hardware should automatically shut
down to protect itself from damage if
unacceptable temperatures reached.
d. The computer equipment should be subject
to periodic maintenance, cleaning
and inspection and a record kept of such.
e. The computer room ceiling should be
adequately constructed to prevent water
from entering the computer room.
f. Overhead water steam and pipes should be
avoided.
g. Adequate drainage should be provided.
h. Independent air conditioning system with
backup power supply should be
installed.
E.

BACKUP
1. Determine that system and data file backup
procedures are adequate to minimize
recovery time and or loss of data.
2. Determine whether backups are maintained
offsite.
3. Identify the backup power supplies/equipment
relating to the following areas:
a. Emergency backup lights
b. Computer systems
4. Determine wheter the backup power is of
adequate size to power all equipment
relying on it, including those not within
the scope of this audit.