Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

Data Center Operations Core

VIEWS: 31 PAGES: 7

									                               UC Core Audit Program
                            Internal Control Questionnaire
                        Data Center Operations and OS System
                               As of September 26, 2003

 I.     Computer Center Information

         a.    Organization in Charge of
               Computer Center
         b.    Location of Computer Center
         c.    Number of Computer Center
               Personnel
         d.    Number of Computers
         e.    Types of Computers in Use
         f.    Number of Computers on
               Unclassified Network
         g.    Number of Computers on
               Classified Network

II.     Documents to be Gathered During Course of Review

  1.     List of all organizations that have applications processing within the Computer
         Center, include points of contact
  2.     Computer Security Plan for the Computer Center
  3.     Copy of the Computer Center’s Disaster Recovery Plan
  4.     Copy of the Laboratory’s Computer Security Plan
  5.     Copy of the Laboratory’s Business Continuity Plan
  6.     Copy of the backup procedure currently being used in the Computer Center
  7.     Copy of the current Computer Center organizational chart
  8.     Copy of the job descriptions for Computer Center personnel
  9.     Copy of the network connections within the Computer Center
  10.    Copy of the Computer Center floor plans (include fire suppression, fire exits,
         sprinklers, emergency shut-offs, fire extinguishers, etc.)
  11.    Copy of Computer Center emergency plan
  12.    Copy of Incident Handling Procedures
  13.    Copy of Contracts with External Vendors




   d9841baf-21ef-42e6-ad63-14c9e55625da.doc, March 7, 2011, JDHJr                 Page 1 of 7
                                UC Core Audit Program
                             Internal Control Questionnaire
                         Data Center Operations and OS System
                                As of September 26, 2003


III.     Evaluation Sections

    1.0 General Controls

          a.    Is there a current Computer Security Plan for the Computer
                Center?
          b.    If yes, is it being followed?
          c.    Who is assigned responsibility for the Computer Security
                Plan?
          d.    Does the Computer Security Plan identify any weaknesses
                within the Computer Center?
          e.    If yes, is the Laboratory fixing the problem? Explain.
          f.    Does the Laboratory’s in-house programming support
                prevent systems from becoming obsolete?
          g.    Are background checks completed for appropriate
                personnel?
          h.    Has management done a threat analysis?

          i.    Does the Laboratory provide enough in-house programming
                support to prevent a backlog of programming effort from
                developing?
          j.    Has the Laboratory outsourced any of the Computer Center
                functions?
          k.    If yes, what functions, and where outsourced?
          l.    Does the Computer Center have any hardware or software
                purchased from vendors who continue to provide support
                including upgrades?
          m.    If yes, does the Laboratory have alternatives for obtaining
                the necessary support to continue to operate? Explain.
          n.    Is the contract with the vendor current, and does it address
                the service needs of the Laboratory?
          o.    If yes, could any wording within the contract be considered
                detrimental to the Laboratory? Explain.

    2.0 Physical Computer Center Access Controls

          a.    Is access to the Computer Center controlled so only
                authorized employees may enter?
                If yes, how is access controlled? Explain.
          b.    How may access points are normally used to enter the
                Computer Center?
          c.    How many entry points are there in the Computer Center?
                (Include fire doors, emergency doors, etc.)

    d9841baf-21ef-42e6-ad63-14c9e55625da.doc, March 7, 2011, JDHJr             Page 2 of 7
                            UC Core Audit Program
                         Internal Control Questionnaire
                     Data Center Operations and OS System
                            As of September 26, 2003

      d.    Are the alarms for the emergency doors checked on a
            periodic basis?
      e.    If there is a sign-in log, is it checked periodically to verify
            access authorizations?
      f.    Is there a current listing of all Organizations that use the
            Computer Center?
      g.    Is there a current listing of all Organization contacts being
            maintained by the Computer Center?
      h.    Is there a current access list for the Computer Center?
      i.    Who is responsible for maintaining the access lists?
      j.    Who approves the additions to the access list?
      k.    Can visitors enter the Computer Center?
            If yes, what are the conditions under which the visitor may
            enter? Explain.
      l.    Can foreign visitors enter the Computer Center with an
            escort/without an escort?

3.0 Physical Controls

      a.    Do general emergency and detection procedures exist?
      b.    If yes, are they adequate?
      c.    Are there adequate heat and smoke alarms within the
            Computer Center?
      d.    Is fire suppression system adequate for the size of the
            Computer Center?
      e.    Are there enough fire extinguishers throughout the Computer
            Center?
      f.    Are the heating, ventilation, and cooling (HVAC systems
            adequate?
      g.    Does the Computer Center have a back-up air conditioning
            unit?
      h.    Are the emergency power and uninterruptible power supply
            (UPS) systems adequate?
      i.    Are the emergency power cut-off switches readily available?
      j.    Does the Computer Center have emergency lighting?
      k.    Is the designated backup system security administrator
            adequately trained?
      l.    Are there any direct dial-in capabilities to any of the
            computers in the Computer Center?
      m.    Are wiring closets locked?
      n.    Is access to sensitive documents such as Supervisor manuals
            and wiring diagrams limited?



d9841baf-21ef-42e6-ad63-14c9e55625da.doc, March 7, 2011, JDHJr                Page 3 of 7
                            UC Core Audit Program
                         Internal Control Questionnaire
                     Data Center Operations and OS System
                            As of September 26, 2003

4.0 Logical Security Controls

      a.    Has the maiden password for the system been changed?
      b.    Does the system force passwords to be changed periodically
            in conformity with established Computer Center computer
            security policies?
      c.    Are passwords masked when entered on the screen?
      d.    Does the screen session time out after certain amount of
            inactivity?
      e.    Is the user ID suspended after successive invalid sign on
            attempts?
      f.    Are concurrent sign on sessions allowed?
      g.    Are the passwords 8 characters or more?
      h.    Are the passwords a combination of alpha, numeric, and
            special characters?
      i.    Has there been training for the users covering the proper
            handling of their password?

      j.    Does the Computer Center have both database administrators
            and system administrators working in the Production
            Environment?
      k.    Within the Production Environment, what is the role of the
            database administrators and system administrators?
      l.    From the list of current systems users are the access
            capabilities assigned to each reasonable?
      m.    Are there unapproved changes made to user access
            capabilities or user parameter settings?
      n.    Is the user access list updated on periodic basis?
      o.    Is the file containing the user passwords encrypted?
      p.    Is the access to the file containing the user passwords
            reasonable?
      q.    How timely are terminations and changes of job assignments
            notifications given, so that changes can be made to the
            access lists?
      r.    Are the default system security parameter settings reasonable
            and do they conform to the Laboratory’s computer security
            policies?

5.0 Operating Controls

      a.    Is the Computer Center located in an appropriate place to
            provide effective and efficient support to its clients?
      b.    Are duties adequately segregated in the operating areas
            supporting the information system?
d9841baf-21ef-42e6-ad63-14c9e55625da.doc, March 7, 2011, JDHJr              Page 4 of 7
                            UC Core Audit Program
                         Internal Control Questionnaire
                     Data Center Operations and OS System
                            As of September 26, 2003

      c.    Is there a high turnover rate in the Computer Center?
      d.    Is there more than one shift that works in the Computer
            Center?
            If yes, how many shifts have been set up? For each shift, is
            staffing adequate to maintain a segregation of duties?
      e.    Are transactions authorized only by the originating
            department?
      f.    Do programmers have the capability to execute production
            programs?
      g.    Do programmers have the capability to change the
            production database?
      h.    Has there been any significant software problems with the
            system?
      i.    How often are the System Logs, Audit Logs, Exception
            Reports, and other control logs reviewed by Computer
            Center personnel?

      j.    Are exceptions such as reruns, machine failures, peripheral
            failures, etc, recorded for review by shift supervisors?
      k.    Is the log of system security related events assessed on a
            timely basis?
      l.    Are there numerous successive invalid sign on attempts
            displayed on the log?
      m.    Are there numerous system restarts displayed on the log?
      n.    Is system log reviewed on periodic basis?
            By whom?
      o.    Have software problems been resolved in an adequate and
            timely manner?
      p.    Are the IS operations functioning in an efficient and
            effective manner to support the strategic objectives and
            business operations of the organization?
      q.    Are there current recovery plans for each application being
            run in the Computer Center?
      r.    Is hardware on a preventive maintenance schedule?
      s.    Is computer maintenance performed by in-house personnel?
            If not, who are the vendors providing maintenance?
      t.    If outside vendor performing maintenance, is it completed
            based on contract schedule?
      u.    Is there any virus detection software in use in the Computer
            Center?
      v.    Are the job schedules readily identified for each work shift?
      w.    Are there current production run manuals?
      x.    Are production jobs completed on a timely basis?

d9841baf-21ef-42e6-ad63-14c9e55625da.doc, March 7, 2011, JDHJr              Page 5 of 7
                            UC Core Audit Program
                         Internal Control Questionnaire
                     Data Center Operations and OS System
                            As of September 26, 2003

      y.    Are the production jobs completed accurately?
      z.    Are the production reports or files protected until distribution
            to users?
      aa.   Is distribution of production jobs completed on a timely
            basis?
      bb.   Are all the computers within the Computer Center on a
            network?
            If no, which ones?
      cc.   Are there any classified computers within the Computer
            Center?
            Assume the answer should be no. If yes, find out why?
      dd.   Is there any input of data into production applications
            performed by Computer Center personnel
            If yes, which applications use Computer Center personnel?
      ee.   Is there an inventory of computer equipment? This would
            also include an inventory of significant obsolete equipment.
      ff.   Is lost or stolen equipment investigated?
      gg.   Are sensitive forms maintained in a safe place?

6.0 Computer Center Library and Storage Management

      a.    Does the Computer Center maintain any of the following:
            Data Library, File Library, Tape Library.
      b.    Is access to all Libraries controlled?
      c.    Are there current procedures for removing tapes and storage
            media from the Library.
      d.    Is there a copy of the production applications in any Library?
            If yes, which one?
      e.    Is there a copy of the production databases in any Library?
            If yes, which one?
      f.    Is there a copy of the back-up files in any Library?
            If yes, which one?
      g.    Are any back-up files stored off-site?
            If yes, where?
      h.    Has the off-site been evaluated for appropriateness? Has
            recovery of files from off-site location been tested?
      i.    Are the procedures for making changes to production and
            system programs being enforced?
      j.    Is there a Change Control Tracking System being used to
            track all modifications to the production environment?
      k.    Are the changes tested in a test environment before being
            implemented into production?
      l.    Do requesters approve all changes prior to implementation?

d9841baf-21ef-42e6-ad63-14c9e55625da.doc, March 7, 2011, JDHJr                 Page 6 of 7
                            UC Core Audit Program
                         Internal Control Questionnaire
                     Data Center Operations and OS System
                            As of September 26, 2003

      m.    Does someone other than the programmer place the modified
            programs into the production environment?
      n.    Is someone (or organization) responsible for maintaining
            compatibility within the production environment?
      o.    Are the labels for files and tapes standardized?
      p.    Is a periodic physical inventory performed of the Library
            contents?
      q.    Is the disposal of tapes, drives, and other media authorized,
            approved, and documented?

7.0 Disaster Recovery Planning and Business Continuity Planning

      a.    Is the formal Facility Disaster Recover Plan adequate and
            effective?
      b.    Has there been mock disaster testing to evaluate the Facility
            Disaster Recover Plan?
      c.    Are the backup procedures for system software and data
            adequate?
      d.    Are computers/servers backed up daily?
      e.    Are there formal recovery plans for the computer or
            facilities?
      f.    Is the insurance coverage over the hardware, operating
            system, application software, and data adequate?

      g.    Does the Laboratory/Campus have a current Business
            Continuity Plan which includes fully developed and tested
            backup and recovery procedures to help ensure uninterrupted
            business resumption in the event of a full or partial disaster?
      h.    Is the Business Continuity Plan communicated to all
            appropriate personnel?
      i.    Has the Business Continuity Plan been tested?
      j.    Is the BCP maintained and updated?




d9841baf-21ef-42e6-ad63-14c9e55625da.doc, March 7, 2011, JDHJr                Page 7 of 7

								
To top