This report is not for reproduction publication or disclosure by any means to unauthorised persons. Page 1
FINAL
Internal Audit
Report
Data Centre
Operations and
Security
Document Details:
Reference:
Report nos from monitoring spreadsheet/2013.14
Senior Manager, Internal Audit & Assurance:
ext. 6567
Engagement Manager:
Auditor:
Internal Audit Report – Data Centre Operations and Security
Page 2
1. EXECUTIVE SUMMARY
1.1
INTRODUCTION
As part of the 2014/15 Internal Audit Plan an audit of the ‘Data centre operations and
security’ was carried out.
The objective of this review is to evaluate the security of the data centre, in particular
the following areas:
data centre policies and procedures are defined, documented, and
communicated for all key functions;
Council systems are secured to prevent unauthorised access (including 3rd
party access);
access to the data centre is monitored and reviewed, and access rights are
periodically reviewed;
data is backed up from servers held at the civic data centre;
data transferred off site is secured at all times and appropriate controls are in
place to monitor the location of the data;
environmental controls are present to protect the servers from fire, electrical and
water damage;
capacity for the data centre is adequate for the server rooms equipment and
storage needs;
environmental equipment is routinely maintained in line with manufacturer
recommended schedules; and
backup electricity supplies are in place to ensure systems and services are not
affected in the event of a power outage.
1.2
OVERALL OPINION
The overall opinion of this review is ‘significant assurance’.
There are some areas that are appropriately managed and in line with acceptable good
practice, including:
A computer room policy has been developed and is reviewed on an annual
basis;
Backup schedules are in place and failed backups are monitored and actioned
by ICT staff;
An offsite location is used for storage of backup tapes; and
Storage capacity for the data centre is considered adequate based on the plans
of ICT.
However, we also identified a number of areas that require improvement, and have
thus led to the ‘limited assurance’ rating:
Failure to test restores of critical applications regularly;
Lack of documented back up policy and procedures;
Excessive computer room access;
Internal Audit Report – Data Centre Operations and Security
Page 3
Lack of formalised computer room training as required by the computer room
policy;
Lack of a visitors register in the computer room, as required by the computer
room policy;
Lack of a fire suppression system; and
The backup process is inefficient due to the increase of data over the last five
years.
Recommendations 7 and 8 are included for completeness. Management have agreed a
response to these recommendations in the Disaster Recovery audit report. These
recommendations have not influence the overall opinion.
Overall Audit Opinion
Full assurance
Full assurance that the system of internal control meets
the organisation’s objectives and controls are
consistently applied.
Significant
assurance
Significant assurance that there is a generally sound
system of control designed to meet the organisation’s
objectives. However, some weaknesses in the design or
inconsistent application of controls put the achievement
of some objectives at some risk.
Limited
assurance
Limited assurance as weaknesses in the design or
inconsistent application of controls put the achievement
of the organisation’s objectives at risk in some of the
areas reviewed.
No assurance
No assurance can be given on the system of internal
control as weaknesses in the design and/or operation of
key control could result or have resulted in failure(s) to
achieve the organisation’s objectives in the area(s)
reviewed.
Internal Audit Report – Data Centre Operations and Security
Page 4
2. SUMMARY OF CONCLUSIONS
2.1
The conclusion for each control objective evaluated as part of this audit was as follows:
Control Objective
AssuranceFull Significant Limited None
CO1: data centre policies and procedures are
defined, documented, and communicated for all key
functions;
CO2: Council systems are secured to prevent
unauthorised access (including 3rd party access);
CO3: access to the data centre is monitored and
reviewed, and access rights are periodically
reviewed;
CO4: data is backed up from servers held at the
data centre;
CO5: data transferred off site is secured at all times
and appropriate controls are in place to monitor the
location of the data;
CO6: environmental controls are present to protect
the servers from fire, electrical and water damage;
CO7: capacity for the data centre is adequate for
the server rooms equipment and storage needs
CO8: environmental equipment is routinely
maintained in line with manufacturer recommended
schedules
CO9: backup electricity supplies are in place to
ensure systems and services are not affected in the
event of a power outage
2.2
The recommendations arising from the review are ranked according to their level of
priority as detailed at the end of the report within the detailed audit findings.
Recommendations are also colour coded according to their level of priority with the
highest priorities highlighted in red, medium priorities in amber and lower priorities in
green. In addition, the detailed audit findings include columns for the management
response, the responsible officer and the time scale for implementation of all agreed
recommendations.
2.3
Where high recommendations are made within this report it would be expected that
they should be implemented within three months from the date of the report to ensure
that the major areas of risk have either been resolved or that mitigating controls have
been put in place and that medium and low recommendations will be implemented
within six and nine months respectively.
Internal Audit Report – Data Centre Operations and Security
Page 5
3. LIMITATIONS REGARDING THE SCOPE OF THE AUDIT
The scope of our work will be limited to those areas outlined above.
4. ACKNOWLEDGEMENTS
Internal Audit Report – Data Centre Operations and Security
5. DETAILED AUDIT FINDINGS
Ref. Priority Findings Risk Arising/
Consequence
Recommendation Management Response Responsibility and Timescale
Recommendation Implemented (Officer & Date) CO1: Policies and Procedures
1 Low Lack of Backup Policy and Procedures
On inspection of the Computer room policy, it was noted that the document does not contain any details on the backup policy and procedure. We accept that the off-site backup storage arrangements are detailed in the IT Disaster Recovery document.
In the absence of a documented backup policy and procedure, there is an increased risk that backups are not performed in line with ICT’s
requirements. This may result in the loss of data, interruption of ICT services and operational difficulties.
We recommend that the Computer Room policy is expanded to include the backup cycle, backup transit and storage arrangements.
The Computer Room Policy and description of the data back-up and restore service are given in two separate documents. These can be combined, giving the back-up and restore weight by placing it into policy. Service Operations Manager, End November 2014.
CO2: Access to the data centre
2 High Excessive access to Computer Room
On inspection of the access list dated 14 August 2014, we noted that there are a total of 65 access cards that provide staff access to the County Hall computer room.
Examples of these include the following:
20 temporary passes held by Reception;
Senior Internal Auditor;
Unauthorised/inappro priate physical access to the computer room may result in accidental or malicious damage to ICT equipment resulting in loss of data, interruption of ICT services and operational difficulties.
The access to all computer rooms should be restricted to and other who require access to perform their responsibilities.
The access list should be reviewed by management on a regular basis to ensure that the access granted is valid. Proof of the review should be maintained.
The current security group used within the Door Access Control System (Net2) to cover the computer rooms is also shared with other duty staff requiring access 'all hours, all doors'. This is inappropriate, as some staff will require open access to most areas, but not the computer areas. S&CA have already arranged with Facilities to create a
Technical Services manager, end November 2014.
Internal Audit Report – Data Centre Operations and Security
Ref. Priority Findings Risk Arising/
Consequence
Recommendation Management Response Responsibility and Timescale
Recommendation Implemented (Officer & Date)
Audit assistant
Two members of the applications team;
One staff member from Adult Services & Health;
One staff member from Children’s Services;
Six temporary contractors; and
One leaver who has not yet been removed. We accept that part of the issues arises due to Reception issuing an ‘all hours all doors’ pass, that is out of the control of ICT.
dedicated access group for Computer rooms. This will be used for appropriate staff who require access to the computer rooms only. Access to the computer rooms will be removed from the 'all hours, all doors' group.
3 Medium Computer Room Access Logging
The computer room policy states that ‘access to the central computer rooms must be logged. For regular staff this can be via the automated Access Control System, for other staff, this must be via an electronic or manual booking system administered centrally. The 'booking system' should
Unauthorised/inappro priate physical access to the computer room may result in accidental or malicious damage to ICT equipment resulting in loss of data, interruption of ICT services and operational difficulties.
Where non authorised staff require access to the computer room, they should be accompanied by a member of the ICT team and their access logged (utilising an access log form).
The log should be reviewed by Management on a regular basis (monthly), to identify any unauthorised access.
Agreed, S&CA will create a manual logging process that can be used to record access for individuals that do not have access right to the computer room within their own responsibility. Will record
Date/time
Who requires access Reason for access
Technical Services manager, end November 2014.
Internal Audit Report – Data Centre Operations and Security
Ref. Priority Findings Risk Arising/
Consequence
Recommendation Management Response Responsibility and Timescale
Recommendation Implemented (Officer & Date)
show name of the person accessing the computer room, data and time from and until, reason for access and detail of work to be carried out’. We noted that there is no ‘booking system’ in place for visitors. 4 Low Computer Room Training
The computer room policy states that ‘access is granted once users have received training’. There is currently no proof of the training.
We understand that the training is currently verbal and there is an intention for ICT to
implement an online training course going forward.
A lack of training may result in staff not understanding the controls appropriate for the computer room. This may result in accidental or malicious damage to ICT equipment resulting in loss of data, interruption of ICT services and operational difficulties.
A formalised training programme should be developed, that includes details of the policies and procedures staff must follow, guidance on escalation and roles and responsibilities.
Evidence of a formal training record should be maintained.
S&CA are working in conjunction with
Development and Training to derive an on-line Computer Room Access course to be completed by staff before being allowed access to the computer rooms. Service Operations Manager, and Development and Training End December 2014.
CO3: Management review of data centre access
5 Medium Access List Reviews
Access list reviews are
performed on an ad-hoc basis. The last review was performed in February 2014.
We noted that there are many users on the access list that should not have access to the computer room. See CO2
Unauthorised/inappro priate physical access to the computer room may result in accidental or malicious damage to IT equipment resulting in loss of data, interruption of IT services and operational difficulties. We recommend that computer room access lists are reviewed more formally on a regular basis, and proof of review is retained. As a minimum the
recommended guidance is every 3 months.
Agreed, this is good practice and will be scheduled within the team. Service Operations Manager, End November 2014.
Internal Audit Report – Data Centre Operations and Security
Ref. Priority Findings Risk Arising/
Consequence
Recommendation Management Response Responsibility and Timescale
Recommendation Implemented (Officer & Date)
above for details.
In addition there is no evidence of the access review.
CO4: Data is backed up
6 Medium New Backup System
Netbackup, the backup system currently in use by the Council, was implemented five years ago. Since the implementation, there has been a 12% annual growth of the data that requires backup. The backup process has thus become very slow and inefficient.
We understand that a budget for the implementation of a new backup system has already been approved and will form part of the commissioning process.
In the event that a disaster occurs and data is not
appropriately backed up, inability to recover the data may result in critical business functions not being recovered in a timely, accurate and
controlled fashion. This could result in the loss of data, interruption of ICT services and
operational difficulties
Implement a backup system that is scalable and
therefore can cope with the level of data growth within the Council.
This system should cope with the demands of Council and projected changes to occur.
The review of the back-up process will be done by HP as the new Service Provider, in conjunction with S&CA, to achieve a solution that will be strategic for the needs of the Council and in line with HP support model going forward
Service Operations Manager, September 2015.
7 High Key System restores
We noted that restores for key systems (SAP and Framework i) are not performed on a regular basis, and no restore documentation is retained. Refer to IT Disaster Recovery
Refer to IT Disaster Recovery report
Management should develop a policy on how often restores will be performed and retain all supporting documentation Refer to IT Disaster Recovery report Refer to IT Disaster Recovery report Refer to IT Disaster Recovery report
Internal Audit Report – Data Centre Operations and Security
Ref. Priority Findings Risk Arising/
Consequence
Recommendation Management Response Responsibility and Timescale
Recommendation Implemented (Officer & Date)
report, section ‘CO4: What testing is performed to validate IT Disaster Recovery, how the outcomes are reported and corrective actions
implemented’, issue 5.
CO6: Environmental controls are present to protect the servers
8 High Fire suppression system
There is no fire suppression system in place.
For more details, refer to IT Disaster Recovery report, section ‘CO3: Whether inclusion of end-to-end recovery processes and the identification of interfaces between dependent and feeder systems are understood within the ITDR Plan(s)’, issue 3.
Refer to IT Disaster Recovery report Refer to IT Disaster Recovery report Refer to IT Disaster Recovery report Refer to IT Disaster Recovery report Refer to IT Disaster Recovery report Key to Priorities:
High This is essential to provide satisfactory control of serious risk(s)
Medium This is important to provide satisfactory control of risk