data center operations core

13

Click here to load reader

Upload: datacenters

Post on 21-Aug-2015

273 views

Category:

Technology


2 download

TRANSCRIPT

Page 1: Data Center Operations Core

UC Core Audit ProgramData Center Operations & OS Software

I. Audit Approach

As an element of the University’s core business functions, Data Center Operations will be audited every three years using a risk based approach. The IT Data Center Operations is usually responsible for the management, physical controls, and processing of production IT systems. The Data Center is also normally responsible for the installation and maintenance of the operating systems for the computers used to process production IT systems.

The minimum requirements set forth in the “general overview and risk assessment” section below must be completed for the audit to qualify for core audit coverage. Following completion of the general overview and risk assessment, the auditor should use their professional judgment to select areas for additional focus and audit testing.

II. General Overview and Risk Assessment (70 hrs – 23%)

The general overview will include interviews of department management and key personnel; evaluation of policies and procedures associated with business processes and mission; inventory of compliance requirements; consideration of key operational aspects; and an assessment of the information systems environment. Prior audits should be reviewed to determine impact, if any. During the overview, a general understanding of the management structure, compliance requirements, financial issues, daily and routine operations, and efficiency and effectiveness of the operation will be obtained (or updated).

As needed, the general overview will incorporate the use of internal control questionnaires, process flowcharts, and the examination of how documents are handled for key processes.

A. The following table summarizes audit objectives and corresponding high-level risks to be considered during the general overview.

Audit Objective Areas of Risk

Obtain an understanding of significant processes and practices employed, implementing, and supporting the Data Center operations specifically addressing the following components:

Management philosophy, operating style, and risk assessment practices including:o Awareness of and compliance

with applicable laws, regulations and policies,

o Planning and management of

Data Center management systems may be ineffective and inefficient due to misalignment with their mission and not capable of meeting the business objectives

Organizational structure may be inappropriate for achieving business objectives

Lack of accountability could also lead to improper segregate of duties

Internal controls could be assessed as not reliable where process

document.doc, April 18, 2023, JDHJr Page 1 of 8

Page 2: Data Center Operations Core

UC Core Audit ProgramData Center Operations & OS Software

Data Center Operations financial resources,

o Efficient and effective operations

Organizational structure, governance and delegations of authority and responsibility

Positions of accountability for financial and operational results

Process strengths (best practices), weaknesses, and mitigating controls

weaknesses are substantial Information systems, applications,

database, and limited electronic interfaces may be inappropriate for achieving the business objectives

Operating systems may not be properly configured or maintained (patched) thus resulting in insecure systems.

B. The following procedures should be considered as part of the General Overview whenever the core audit is conducted.

General Control Environment

1. Interview the department director and key managers to identify and assess their philosophy and operating style, regular channels of communication, and risk assessment processes.

2. Obtain the department’s organization chart, delegations of authority, and management reports.

3. Interview select staff members to obtain the staff perspective. During all interviews, solicit input on concerns or areas of risk.

4. Evaluate the adequacy of the organizational structure and reporting processes to assure the proper accountability of the data center’s operations.

5. If the organizational structure and various reporting processes do not appear adequate, consider alternative structures or reporting. Comparison to corresponding departments at other locations, may provide value.

Business Processes

6. For the Data Center, identify the key department activities and controls. Gain an understanding of the corresponding processes, and positions of responsibilities. The data center’s responsibilities usually include:

a. Processing controls, including batch, the use of control totals, and input output controls

b. Security of the data center including physical security and controls, and environmental controls

c. System software operations, including the controls to separate system programming from application programming and data base operations

d. Administrative planning and support including capacity planning, preventative maintenance and insurance.

document.doc, April 18, 2023, JDHJr Page 2 of 8

Page 3: Data Center Operations Core

UC Core Audit ProgramData Center Operations & OS Software

e. Backup and Recovery processes including routine backups and storage and recovery planning and testing.

7. For financial systems, such as the recharge system, identify positions with responsibility for initiating, reviewing, approving, and reconciling financial transactions. Gain an understanding of processes by examining flowchart or narratives identifying process strengths, weaknesses, and mitigating controls.

8. Evaluate processes for adequate separation of responsibilities or proper management review. Evaluate the adequacy of the processes to provide reasonable assurance that University/Lab resources are properly safeguarded.

9. Evaluate the adequacy of the operations practices to provide for availability, integrity, and confidentiality of the University/Lab information resources.

10. Develop detailed test objectives and procedures, and conduct detailed testing with specific test criteria.

Information Systems

11. Interview department personnel to identify department information systems, including monitoring systems, escalation systems, command and control systems, notification systems and any other systems used to process the data center’s information.

12. Review systems documentation, logs and other documentation, as needed to gain an understanding of the data centers information processes..

13. Review management’s monitoring and supervision of the data center operations.

14. Develop detailed test objectives and procedures, and conduct detailed testing with specific test criteria

C. Following completion of the general overview steps outlined above, a high-level

risk assessment should be performed and documented in a standardized working paper (e.g., a risk and controls matrix). To the extent necessary, as determined by the auditor, this risk assessment may address aspects of other areas outlined below (financial reporting, compliance, operational efficiency and effectiveness; and information systems). In addition to the evaluations conducted in the general objectives section, the risk assessment should consider the following: annual expenditures; time since last review, recent audit findings; organizational change; regulatory requirements, etc.

document.doc, April 18, 2023, JDHJr Page 3 of 8

Page 4: Data Center Operations Core

UC Core Audit ProgramData Center Operations & OS Software

III. Financial (20 hrs – 7%)

A. The following table summarizes audit objectives and corresponding high-level risk regarding financial network management processes.

Audit Objective Areas of Risk

Evaluate the adequacy of financial resources, and appropriate financial planning consistent with the objectives of the Data Center. Include the following components:

Compliance with the budgeting and approval process for the funding major equipment upgrades and replacement

Recharge for Data Centers services are consistent and appropriate.

Recharge rates are documented and approved

IT governance appropriate for adequate consideration of financial needs

Evaluate the cost benefit of lease vs. buy of capital assets

Evaluate the cost benefit of software purchases

Servers and IT equipment may be acquired that are inadequate for the needs of its customers.

Acquisitions of IT equipment may be made that have not been through the budget and approval process.

Funding shortages may prevent the Data Center from achieving its business objective.

Funding may be used to purchase resources that were inappropriate for the intended purposes

Purchase versus lease decision may be flawed due to incorrect financial assumptions

IT governance may not provide adequate considerations of the financial needs

B. The following procedures should be considered as part of the financial review whenever the core audit is conducted.

1. Identify all financial processes used by the department. Review of recent financial reports or other operational financial information.

2. Identify budgetary processes used by the department. Obtain and review recent budgetary reports.

3. Document through spreadsheets, narratives, or flowcharts the budget and recharge costing practices (i.e., actual vs. standard costs; capitalization).

4. Gain an understanding of the different methods used to monitor department funds, and budget variances.

5. Identify the processes for classifying cost as either, direct charges or overhead charge. Gain an understanding of the overhead rate calculation and review process.

6. Determine if the department is funded sufficiently to adequately provide the services at an appropriate level.

document.doc, April 18, 2023, JDHJr Page 4 of 8

Page 5: Data Center Operations Core

UC Core Audit ProgramData Center Operations & OS Software

7. Determine if the financial processes used are appropriate to provide management both inside and outside the department with the proper information.

IV. Compliance (60 hrs – 20%)

A. The following table summarizes audit objectives and corresponding high-level risks regarding compliance with policies and procedures, and regulatory requirements.

Audit Objective Areas of Risk

Evaluate compliance with the following requirements:

UCOP PoliciesIS3IS10Other Business and Financial Bulletins and other University policiesElectronic communications policy

Applicable State and Federal laws and regulations including:

FERPAGramm Leach Bliley (GLBA)HIPAASB 1392

Evaluate adequacy and compliance with local policies, standards, and guidelines

Non-compliance could result in the fines, penalties, and sanctions

Poor security or poor performance, from lack of adequate guidance policy.

Delegations of authority may be inappropriate.

Non-compliance of local processes with University requirements may negatively impact reliability and security of the systems.

B. The following procedures should be considered as part of the Compliance review whenever the core audit is conducted.

1. Obtain an understanding of all applicable state or federal regulations.2. Determine whether state or federal regulations apply to application development

and review for compliance (e.g., HIPAA, FERPA, SB 1392, GLBA).3. Validate compliance with applicable state or federal regulations.4. Obtain an understanding of all applicable University Office of the President and

Campus/Lab policies.5. Determine whether any University Office of the President and Campus/Lab

policies apply to the application development process (e.g., IS-3, IS-10, etc.)6. Validate compliance with applicable University Office of the President and

Campus/Lab policies.

document.doc, April 18, 2023, JDHJr Page 5 of 8

Page 6: Data Center Operations Core

UC Core Audit ProgramData Center Operations & OS Software

V. Operational Effectiveness and Efficiency (50 hrs – 17%)

A. The following table summarizes audit objectives and corresponding high-level risks regarding operational effectiveness and efficiency.

Audit Objective Areas of Risk

Evaluate the adequacy of operational effectiveness and efficiency consistent with the objectives of Data Center Management. Include the following components:

Appropriate investment in human resources and equipment

Adequacy of Data Center personnel for skill and training

Self evaluation and improvement process

Personnel management Specialization of work –

centralized vs. decentralized Appropriate management of

contracts Software and equipment changes

review and approval processes Patch vs. permanent fix problems Process in evaluating the needs

for new and/or upgrades to hardware, software, and facilities

Operation effectiveness and efficiency could be compromised due to poor system performance

Lack of proper planning could allow the condition of inadequate capacity to develop

Self-evaluation and improvement processes may not be aligned with the directives of management

Service levels may not satisfy the needs/requirements of the Data Center and its customers

Paying more for services when less expensive alternatives are available.

B. The following procedures should be considered as part of Operational Effectiveness and Efficiency review whenever the core audit is conducted.

1. Evaluate appropriateness of mix of use of employees and contractors.2. Determine if when contractors are used, adequate knowledge transfer is

performed prior to termination of contracts.3. Evaluate use of specialists/ subject matter experts in areas where appropriate in-

house expertise does not exist.4. Review relevant strategic plans to determine whether major system changes are

planned.5. Evaluate the cost benefit of lease vs. buy of equipment.6. Determine if root cause analyses are performed for system problems. Evaluate

whether symptoms of problems are addressed or if system fixes resolve the root of the problem.

7. Review service level agreements for adequacy of coverage. Determine if historical performance has been adequate and in accordance with service level agreement.

document.doc, April 18, 2023, JDHJr Page 6 of 8

Page 7: Data Center Operations Core

UC Core Audit ProgramData Center Operations & OS Software

8. Determine if timelines appear adequate to address new system objectives. Review any projects plan to ensure data center milestones are identified and adequately budgeted for time and resources.

VI. Information and Communication (100 hrs – 33%)

A. The following table summarizes audit objectives and corresponding high-level risks regarding daily and routine operations processes.

Audit Objective Areas of Risk

Evaluate the following routine operational activities regarding processing, applications and systems recovery, and system interfaces performance.

Logging, maintenance, and monitoring review of operational (daily computer processing) work.

Output controls and distribution Scheduling, preparing, and

running assigned processes Incident handling, escalation and

reporting as it pertains to recovery processes, hardware, software, or any operational failure

Work order process for assigning and monitoring non-operational work.

Process to communicate to management and users hardware and software system updates, changes prior to implementation.

Process to communicate to management and users any emergency hardware or software changes.

Process to communicate to management and users the status of all systems.

Development and implementation of daily processes for the Data Center Operations may be inappropriate for achieving the management objectives

Recovery processes may be too complicated for operational purposes and, therefore, not used

Output distribution may be inappropriately distributed resulting in inefficiencies and possible compromise of sensitive data

Lack of proper traffic monitoring tools may not achieve the results originally intended

Lack standard procedures in logging, maintenance, and review of operational reports making the processes ineffective

Improper defined backup procedures and standards may result in data unrecoverable

Non-operations work may not be done properly or on a timely basis

Management and users may be unprepared for system changes

B. The following procedures should be considered as part of the Information and Communication review whenever the core audit is conducted:

document.doc, April 18, 2023, JDHJr Page 7 of 8

Page 8: Data Center Operations Core

UC Core Audit ProgramData Center Operations & OS Software

1. Evaluate the monitoring of the logging, maintenance of the daily computer processing.

2. Determine the controls and communication of used to assure proper delivery of processed output. Give attention to any sensitive forms are used, such as checks.

3. Gain an understanding of the process to communicate system software and hardware changes to users and management. Evaluate the adequacy of the communication.

4. Determine the procedure for escalating problems to appropriate levels of management. Review the documentation of recent problems that had been escalated and evaluate the timeliness and adequacy of the process.

5. Determine if root cause analyses are performed for system problems. Evaluate whether symptoms of problems are addressed or if system fixes resolve the root of the problem.

6. Review service level agreements for adequacy of coverage. Determine the process to communicate status of the systems (up time percent) to users. Determine if the process to gather the status will likely provide accurate information. Determine if historical performance has been adequate and in accordance with service level agreement.

7. Identify the process to declare a disaster including who must make that decision.

8. Gain an understanding of how all the data center staff receive information regarding a disaster and how they receive their instructions for any alternate processing locations to which they must report.

9. Evaluate the systems programmers source of information on fixes, patches and other known causes of failure. Determine how they evaluate these repairs and the process to apply the fixes.

document.doc, April 18, 2023, JDHJr Page 8 of 8