datacntr_ops

Document Sample
datacntr_ops Powered By Docstoc
					                               UC Core Audit Program
                        Data Center Operations & OS Software
  I.   Audit Approach

       As an element of the University’s core business functions, Data Center Operations will be
       audited every three years using a risk based approach. The IT Data Center Operations is
       usually responsible for the management, physical controls, and processing of production
       IT systems. The Data Center is also normally responsible for the installation and
       maintenance of the operating systems for the computers used to process production IT
       systems.

       The minimum requirements set forth in the “general overview and risk assessment”
       section below must be completed for the audit to qualify for core audit coverage.
       Following completion of the general overview and risk assessment, the auditor should use
       their professional judgment to select areas for additional focus and audit testing.

 II.   General Overview and Risk Assessment (70 hrs – 23%)

       The general overview will include interviews of department management and key
       personnel; evaluation of policies and procedures associated with business processes and
       mission; inventory of compliance requirements; consideration of key operational aspects;
       and an assessment of the information systems environment. Prior audits should be
       reviewed to determine impact, if any. During the overview, a general understanding of
       the management structure, compliance requirements, financial issues, daily and routine
       operations, and efficiency and effectiveness of the operation will be obtained (or
       updated).

       As needed, the general overview will incorporate the use of internal control
       questionnaires, process flowcharts, and the examination of how documents are handled
       for key processes.

        A.   The following table summarizes audit objectives and corresponding high-level risks
             to be considered during the general overview.

                      Audit Objective                                Areas of Risk
        Obtain an understanding of significant                Data Center management systems
        processes and practices employed,                      may be ineffective and inefficient
        implementing, and supporting the Data                  due to misalignment with their
        Center operations specifically addressing              mission and not capable of meeting
        the following components:                              the business objectives
             Management philosophy,                          Organizational structure may be
                operating style, and risk                      inappropriate for achieving business
                assessment practices including:                objectives
                o Awareness of and compliance                 Lack of accountability could also
                   with applicable laws,                       lead to improper segregate of duties
                   regulations and policies,                  Internal controls could be assessed

fe3a858a-6b93-49cf-9944-093185950ef4.doc, December 16, 2011, JDHJr                Page 1 of 8
                               UC Core Audit Program
                        Data Center Operations & OS Software
               o Planning and management of                    as not reliable where process
                   Data Center Operations                      weaknesses are substantial
                   financial resources,                       Information systems, applications,
               o Efficient and effective                       database, and limited electronic
                   operations                                  interfaces may be inappropriate for
              Organizational structure,                       achieving the business objectives
               governance and delegations of                  Operating systems may not be
               authority and responsibility                    properly configured or maintained
              Positions of accountability for                 (patched) thus resulting in insecure
               financial and operational results               systems.
              Process strengths (best practices),
               weaknesses, and mitigating
               controls

        B.   The following procedures should be considered as part of the General Overview
             whenever the core audit is conducted.

       General Control Environment

               1. Interview the department director and key managers to identify and assess
                  their philosophy and operating style, regular channels of communication, and
                  risk assessment processes.
               2. Obtain the department’s organization chart, delegations of authority, and
                  management reports.
               3. Interview select staff members to obtain the staff perspective. During all
                  interviews, solicit input on concerns or areas of risk.
               4. Evaluate the adequacy of the organizational structure and reporting processes
                  to assure the proper accountability of the data center’s operations.
               5. If the organizational structure and various reporting processes do not appear
                  adequate, consider alternative structures or reporting. Comparison to
                  corresponding departments at other locations, may provide value.

               Business Processes

               6. For the Data Center, identify the key department activities and controls. Gain
                  an understanding of the corresponding processes, and positions of
                  responsibilities. The data center’s responsibilities usually include:
                      a. Processing controls, including batch, the use of control totals, and
                          input output controls
                      b. Security of the data center including physical security and controls, and
                          environmental controls
                      c. System software operations, including the controls to separate system
                          programming from application programming and data base operations



fe3a858a-6b93-49cf-9944-093185950ef4.doc, December 16, 2011, JDHJr                Page 2 of 8
                               UC Core Audit Program
                        Data Center Operations & OS Software
                       d. Administrative planning and support including capacity planning,
                           preventative maintenance and insurance.
                       e. Backup and Recovery processes including routine backups and storage
                           and recovery planning and testing.
               7. For financial systems, such as the recharge system, identify positions with
                   responsibility for initiating, reviewing, approving, and reconciling financial
                   transactions. Gain an understanding of processes by examining flowchart or
                   narratives identifying process strengths, weaknesses, and mitigating controls.
               8. Evaluate processes for adequate separation of responsibilities or proper
                   management review. Evaluate the adequacy of the processes to provide
                   reasonable assurance that University/Lab resources are properly safeguarded.
               9. Evaluate the adequacy of the operations practices to provide for availability,
                   integrity, and confidentiality of the University/Lab information resources.
               10. Develop detailed test objectives and procedures, and conduct detailed testing
                   with specific test criteria.

               Information Systems

               11. Interview department personnel to identify department information systems,
                   including monitoring systems, escalation systems, command and control
                   systems, notification systems and any other systems used to process the data
                   center’s information.
               12. Review systems documentation, logs and other documentation, as needed to
                   gain an understanding of the data centers information processes..
               13. Review management’s monitoring and supervision of the data center
                   operations.
               14. Develop detailed test objectives and procedures, and conduct detailed testing
                   with specific test criteria

        C.   Following completion of the general overview steps outlined above, a high-level
             risk assessment should be performed and documented in a standardized working
             paper (e.g., a risk and controls matrix). To the extent necessary, as determined by
             the auditor, this risk assessment may address aspects of other areas outlined below
             (financial reporting, compliance, operational efficiency and effectiveness; and
             information systems). In addition to the evaluations conducted in the general
             objectives section, the risk assessment should consider the following: annual
             expenditures; time since last review, recent audit findings; organizational change;
             regulatory requirements, etc.




fe3a858a-6b93-49cf-9944-093185950ef4.doc, December 16, 2011, JDHJr              Page 3 of 8
                               UC Core Audit Program
                        Data Center Operations & OS Software

III.   Financial (20 hrs – 7%)

        A.   The following table summarizes audit objectives and corresponding high-level risk
             regarding financial network management processes.

                     Audit Objective                                  Areas of Risk
        Evaluate the adequacy of financial                    Servers and IT equipment may be
        resources, and appropriate financial                   acquired that are inadequate for the
        planning consistent with the objectives of             needs of its customers.
        the Data Center. Include the following                Acquisitions of IT equipment may
        components:                                            be made that have not been through
             Compliance with the budgeting                    the budget and approval process.
               and approval process for the                   Funding shortages may prevent the
               funding major equipment upgrades                Data Center from achieving its
               and replacement                                 business objective.
             Recharge for Data Centers services              Funding may be used to purchase
               are consistent and appropriate.                 resources that were inappropriate
             Recharge rates are documented                    for the intended purposes
               and approved                                   Purchase versus lease decision may
             IT governance appropriate for                    be flawed due to incorrect financial
               adequate consideration of financial             assumptions
               needs                                          IT governance may not provide
             Evaluate the cost benefit of lease               adequate considerations of the
               vs. buy of capital assets                       financial needs
             Evaluate the cost benefit of
               software purchases

        B.   The following procedures should be considered as part of the financial review
             whenever the core audit is conducted.
              1. Identify all financial processes used by the department. Review of recent
                  financial reports or other operational financial information.
              2. Identify budgetary processes used by the department. Obtain and review
                  recent budgetary reports.
              3. Document through spreadsheets, narratives, or flowcharts the budget and
                  recharge costing practices (i.e., actual vs. standard costs; capitalization).
              4. Gain an understanding of the different methods used to monitor department
                  funds, and budget variances.
              5. Identify the processes for classifying cost as either, direct charges or overhead
                  charge. Gain an understanding of the overhead rate calculation and review
                  process.
              6. Determine if the department is funded sufficiently to adequately provide the
                  services at an appropriate level.


fe3a858a-6b93-49cf-9944-093185950ef4.doc, December 16, 2011, JDHJr                Page 4 of 8
                                UC Core Audit Program
                         Data Center Operations & OS Software
                7. Determine if the financial processes used are appropriate to provide
                   management both inside and outside the department with the proper
                   information.


IV.    Compliance (60 hrs – 20%)

        A.    The following table summarizes audit objectives and corresponding high-level risks
              regarding compliance with policies and procedures, and regulatory requirements.

                      Audit Objective                                Areas of Risk
        Evaluate compliance with the following                Non-compliance could result in the
        requirements:                                          fines, penalties, and sanctions
             UCOP Policies                                   Poor security or poor performance,
                   IS3                                         from lack of adequate guidance
                   IS10                                        policy.
                   Other Business and Financial               Delegations of authority may be
                   Bulletins and other University              inappropriate.
                   policies                                   Non-compliance of local processes
                   Electronic communications                   with University requirements may
                   policy                                      negatively impact reliability and
             Applicable State and Federal laws                security of the systems.
                and regulations including:
                   FERPA
                   Gramm Leach Bliley (GLBA)
                   HIPAA
                   SB 1392
        Evaluate adequacy and compliance with
        local policies, standards, and guidelines

        B.     The following procedures should be considered as part of the Compliance review
               whenever the core audit is conducted.
             1. Obtain an understanding of all applicable state or federal regulations.
             2. Determine whether state or federal regulations apply to application development
                and review for compliance (e.g., HIPAA, FERPA, SB 1392, GLBA).
             3. Validate compliance with applicable state or federal regulations.
             4. Obtain an understanding of all applicable University Office of the President and
                Campus/Lab policies.
             5. Determine whether any University Office of the President and Campus/Lab
                policies apply to the application development process (e.g., IS-3, IS-10, etc.)
             6. Validate compliance with applicable University Office of the President and
                Campus/Lab policies.




fe3a858a-6b93-49cf-9944-093185950ef4.doc, December 16, 2011, JDHJr               Page 5 of 8
                                UC Core Audit Program
                         Data Center Operations & OS Software

 V.    Operational Effectiveness and Efficiency (50 hrs – 17%)

        A.    The following table summarizes audit objectives and corresponding high-level risks
              regarding operational effectiveness and efficiency.

                      Audit Objective                                 Areas of Risk
        Evaluate the adequacy of operational                  Operation effectiveness and
        effectiveness and efficiency consistent                efficiency could be compromised
        with the objectives of Data Center                     due to poor system performance
        Management. Include the following                     Lack of proper planning could
        components:                                            allow the condition of inadequate
               Appropriate investment in                      capacity to develop
                 human resources and equipment                Self-evaluation and improvement
               Adequacy of Data Center                        processes may not be aligned with
                 personnel for skill and training              the directives of management
               Self evaluation and improvement               Service levels may not satisfy the
                 process                                       needs/requirements of the Data
               Personnel management                           Center and its customers
               Specialization of work –                      Paying more for services when less
                 centralized vs. decentralized                 expensive alternatives are available.
               Appropriate management of
                 contracts
               Software and equipment changes
                 review and approval processes
               Patch vs. permanent fix problems
               Process in evaluating the needs
                 for new and/or upgrades to
                 hardware, software, and facilities

        B.     The following procedures should be considered as part of Operational Effectiveness
               and Efficiency review whenever the core audit is conducted.
             1. Evaluate appropriateness of mix of use of employees and contractors.
             2. Determine if when contractors are used, adequate knowledge transfer is performed
                 prior to termination of contracts.
             3. Evaluate use of specialists/ subject matter experts in areas where appropriate in-
                 house expertise does not exist.
             4. Review relevant strategic plans to determine whether major system changes are
                 planned.
             5. Evaluate the cost benefit of lease vs. buy of equipment.
             6. Determine if root cause analyses are performed for system problems. Evaluate
                 whether symptoms of problems are addressed or if system fixes resolve the root of
                 the problem.


fe3a858a-6b93-49cf-9944-093185950ef4.doc, December 16, 2011, JDHJr                Page 6 of 8
                                UC Core Audit Program
                         Data Center Operations & OS Software
             7. Review service level agreements for adequacy of coverage. Determine if
                historical performance has been adequate and in accordance with service level
                agreement.
             8. Determine if timelines appear adequate to address new system objectives. Review
                any projects plan to ensure data center milestones are identified and adequately
                budgeted for time and resources.

VI.      Information and Communication (100 hrs – 33%)

        A.    The following table summarizes audit objectives and corresponding high-level risks
              regarding daily and routine operations processes.

                       Audit Objective                                Areas of Risk
        Evaluate the following routine operational            Development and implementation
        activities regarding processing,                       of daily processes for the Data
        applications and systems recovery, and                 Center Operations may be
        system interfaces performance.                         inappropriate for achieving the
                 Logging, maintenance, and                    management objectives
                  monitoring review of operational            Recovery processes may be too
                  (daily computer processing)                  complicated for operational
                  work.                                        purposes and, therefore, not used
                 Output controls and distribution            Output distribution may be
                 Scheduling, preparing, and                   inappropriately distributed resulting
                  running assigned processes                   in inefficiencies and possible
                 Incident handling, escalation and            compromise of sensitive data
                  reporting as it pertains to                 Lack of proper traffic monitoring
                  recovery processes, hardware,                tools may not achieve the results
                  software, or any operational                 originally intended
                  failure                                     Lack standard procedures in
                 Work order process for assigning             logging, maintenance, and review of
                  and monitoring non-operational               operational reports making the
                  work.                                        processes ineffective
                 Process to communicate to                   Improper defined backup
                  management and users hardware                procedures and standards may result
                  and software system updates,                 in data unrecoverable
                  changes prior to implementation.            Non-operations work may not be
                 Process to communicate to                    done properly or on a timely basis
                  management and users any                    Management and users may be
                  emergency hardware or software               unprepared for system changes
                  changes.
                 Process to communicate to
                  management and users the status
                  of all systems.


fe3a858a-6b93-49cf-9944-093185950ef4.doc, December 16, 2011, JDHJr                Page 7 of 8
                               UC Core Audit Program
                        Data Center Operations & OS Software


        B.   The following procedures should be considered as part of the Information and
             Communication review whenever the core audit is conducted:

               1. Evaluate the monitoring of the logging, maintenance of the daily computer
                  processing.
               2. Determine the controls and communication of used to assure proper delivery
                  of processed output. Give attention to any sensitive forms are used, such as
                  checks.
               3. Gain an understanding of the process to communicate system software and
                  hardware changes to users and management. Evaluate the adequacy of the
                  communication.
               4. Determine the procedure for escalating problems to appropriate levels of
                  management. Review the documentation of recent problems that had been
                  escalated and evaluate the timeliness and adequacy of the process.
               5. Determine if root cause analyses are performed for system problems. Evaluate
                  whether symptoms of problems are addressed or if system fixes resolve the
                  root of the problem.
               6. Review service level agreements for adequacy of coverage. Determine the
                  process to communicate status of the systems (up time percent) to users.
                  Determine if the process to gather the status will likely provide accurate
                  information. Determine if historical performance has been adequate and in
                  accordance with service level agreement.
               7. Identify the process to declare a disaster including who must make that
                  decision.
               8. Gain an understanding of how all the data center staff receive information
                  regarding a disaster and how they receive their instructions for any alternate
                  processing locations to which they must report.
               9. Evaluate the systems programmers source of information on fixes, patches and
                  other known causes of failure. Determine how they evaluate these repairs and
                  the process to apply the fixes.




fe3a858a-6b93-49cf-9944-093185950ef4.doc, December 16, 2011, JDHJr             Page 8 of 8

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:3
posted:12/16/2011
language:
pages:8