Subject: AUDITING IN CIS ENVIRONMENT

VIDEO DISCUSSION 16 Operation Management Part 2 Lesson 4 Part 4

Data Center Reviews

Data center and computer operations reviews are performed to evaluate the administrative controls over data center
resources and data processing personnel (computer operations, systems analysis, and programming personnel).

The scope of the review could include:

 an evaluation of the planning, staffing,

 policies/procedures,
 assignment of responsibilities,
 budgets,
 management reports,
 records, and
 performance measures in the following major areas of accountability: hardware management, software
management, resource protection and recovery, access controls, operations management, and
network/communications management.

A data center/computer operations audit may focus on any one of these accountabilities, or may include all of them
depending on the

 size of the data center,

 operations staff, and
 time budget.

For example, for a large data center with multiple computers and an extensive number of users, the data center review
may focus only on access controls and security administration.

For a small data center, the audit might include all of the accountabilities.

Objectives of data center audits are to identify

1. Audit risks in the operating environment; and,

2. The controls in place and functioning to reasonably mitigate those audit risks in accordance with the
intentions of the company’s management.

For each control objective, the auditor must

1. Evaluate control mechanisms; and,

2. Determine whether the objective has been achieved.

Pre audit preparation is required for effective data center reviews. These include meeting with IS management to
determine possible areas of concern.

At this meeting, the following information should be obtained:

 Current IT organization chart

 Current job descriptions for IT data center employees
 List of application software supported and the hardware they reside
 IT policy and procedures manual
 Systems planning documentation and fiscal budget
 Disaster recovery plan

Audit personnel should review the preceding information and become familiar with the way the data center provides
user services. In addition, auditors should become familiar with basic terminology and resource definition methodology
used in support of the operations environment. Engagement personnel should review the audit program and become
familiar with the areas assigned for the completion of an audit task.
Data Access Management

The following are typical audit program steps performed during a data center review.

Administration of IT Activities Audit Steps

1. Review the organization chart and evaluate the established procedures for adequacy in defining responsibilities in
the security administration area. Implement general control (provision for general authorization over the
execution of transactions, e.g., prohibiting the IT department from initiating or authorizing transactions) and
COBIT objective (position descriptions clearly and delineate both authority and responsibility).
2. Determine who is responsible for control and administration of security. Verify that adequate security exists in
the security administration function. Implement general control (prevents or detects deliberate or accidental errors
caused by improper use) and COBIT objective (information services function is in compliance with security
standards).
3. Determine whether adequate direction is maintained for each IT functional area within a policy and procedures
manual. Evaluate whether the manual is kept up to date by IT management. Implement general control (written
manuals in support of systems and procedures) and COBIT objective (operations staff have operations manuals
for all systems and processing within their responsibility).
4. Determine if written personnel policies for the IT administration personnel exist, and if these policies stress
adequate qualification and level of training and development.
5. Determine if long-range (two to five) years’ system planning is maintained by IT management and is adequately
considered in the fiscal budgeting process.
6. Assess the adequacy of inventory procurement and control pertaining to the administration of the LAN
environment. Review available inventory documentation to determine if it is adequately maintained and complete
in description and location. Compare the serial numbers on the computer software with inventory records to
determine if illegal copies of system and application software are being supported.

Operating Systems Software and Data Audit Steps

1. Determine through interviews with data center personnel whether any significant modifications or upgrades
were implemented during this audit year. Review authorization documentation to ensure that adequate IT
management approval is obtained before the implementation.
2. Determine through interviews with the IT personnel the procedures implemented to ensure that adequate IT
management approval is obtained before the implementation.
3. Evaluate access restrictions over critical system operation areas.

Computer Operations/Business Resumption Audit Steps

1. Review the IT policies and procedures manual to determine if written operating instructions adequately
define recovery procedures in the event of processing disruption, shutdown and restart procedures,
procedures for restoration of file server data from backups, and procedures for reporting incidents.
2. Determine through interviews with IT personnel the use of tape management software or other mechanism
used to prevent the erasure of data.
 3. Determine through interviews with IT personnel the rotation of tapes used in storing backup data. Determine
if adequate off-site storage facilities are used and that tapes are rotated to the facility daily.
4. Evaluate procedures in place to control inventory of tapes maintained both on- and off-site.
5. Determine through observation the physical security of the consoles supporting backup procedures. If the
console is not adequately secure, inquire as to the mechanisms used to prevent unauthorized tampering during
backup processing.
6. Determine through the observations of computer operations facility the use of security mechanisms to
provide access to authorized personnel only.
7. Evaluate procedures in place to monitor the activities of non-computer operations personnel having access to
the operations facility. Entry of unauthorized personnel should be supervised, and a log maintained and
regularly reviewed by IT management.
8. Determine through observation the installation and maintenance of an automated fi re-suppression system,
raised-floor water sensors below floors, installation of power conditioning units, and backup power supply.

Security Administration Audit Steps

1. Determine through interviews with IT personnel if a separate security administration function has been
established.
2. Determine through interviews with IT personnel, review of IT policies and procedures manuals, and IT job
descriptions if training programs have been established for all personnel for areas such as
 Organizational security policies
 Disclosure of sensitive data
 Access privileges to IT resources
 Reporting of security incidents
 Naming conventions for user passwords
3. Determine if formal policies define the organization’s information security objectives and the responsibilities
of employees with respect to the protection and disclosure of informational resources. Agreement to these
policies should be evidenced by the signature of employees.
4. Determine if procedures and responsibility for the maintenance of user IDs and access privileges in the case
of termination or transfer are defined and performed on a regular basis.

Software and Data Security Controls

Data and software security and access controls are the key controls over today’s network-oriented business systems.
These are considered operational controls in the sense that these controls function day in and day out to meet the needs
of business. The administration of the network is similar to the administration and management of any information
processing facility. In the information processing manager’s scenario, the main objective is to prevent, detect, and
correct unauthorized access to the network’s hardware, software, and data, and ensure the network’s sound operation
and the security of the corporate intellectual property and information.

Physical and Environmental Controls Management

All such controls in active use must be tested periodically. Such testing includes the evaluation of the effectiveness of
current controls and the implementation of additional controls as determined to be necessary. The results of the testing
of physical and environmental controls should be reported to senior management.

Data Access Management

The data center operations manager, the network administrator, or the corporate IT security manager, whoever assigned
this responsibility, must perform it in a very responsible manner. This person must accurately maintain user IDs and
passwords and associated file and data access schemes, as well as receive computer-generated reports of attempted
unauthorized accesses. Reports on data access and traffic analysis should be reviewed. Such reports will allow the
administrator to manage network growth and help foresee future security needs.

Policy and Procedures Documentation

The objectives here are to provide standards for preparing documentation and ensuring the maintenance of
documentation. The IT operations manager must set documentation standards so that when employees change jobs,
become ill, or leave the organization, replacement personnel can adequately perform the task of that employee. The IT
operations manager must periodically test the documentation for clarity, completeness, appropriateness, and accuracy.
Data and Software Backup Management

Backup media must be labeled, controlled, and stored in an appropriate manner. The IT manager must maintain control
logs of all backups as well as provide documentation on how to recover files, data, directories, and disks.

Other Management Controls

The internal audit department, external auditors, contingency or disaster recovery planning, personnel background
checks, and user training are included in this category. The IT auditor can aid in establishing proper testing
requirements and in reviewing, testing, and recommending the proper controls to establish the necessary safeguards.
Contingency planning and disaster recovery are essential for the proper maintenance of the network and supporting
systems. The contingency plan establishes the steps to recover from the destruction of hardware, software, and data.

Operational controls include items such as periodic personnel background checks on all employees who have access to
key organizational information directly or through support functions. The background check should involve a review of
credit history, financial health, personal problems, and other areas that may identify.

End-User Computing (EUC)

EUC groups are growing rapidly in pervasiveness and importance. The knowledge worker’s application of technology
to help business solve problems has been one of the major forces of change in business today. User dominance will
prevail. Auditors, as knowledge workers and users, can assist departments in identifying sensitive or critical PC
applications that require special attention. In organizations where controls are inadequate or nonexistent, auditors
can play a key role in developing these controls for EUC groups. Once controls are in place, auditors can review them
for adequacy and effectiveness. Auditing a EUC group can encompass the entire spectrum of IS reviews from systems
development to disaster recovery.

Auditing End-User Computing

Once it is determined that an audit of a EUC group is required, the IT auditor needs management’s agreement as to the
audit objectives, audit method, and audit scope. The audit objectives may cover specific applications, end-user support,
financial issues, or provide for strategic information to be reported to the management. Depending on the control
environment and audit objectives, the audit method will be either formal or informal. Defining the EUC group for a
particular environment will determine the audit scope of the audit.

Preliminary Audit Planning

PC applications have grown from individuals creating personal productivity tools into critical applications that are used
by the entire organization. The management may not fully realize the importance of EUC groups to the organization to
dedicate the necessary resources for a complete and thorough applications audit. However, it is essential to have the
management’s support to overcome any obstacles put forth by the EUC groups. End users tend to think of their PCs
as personal property, and they may be resentful of an intrusion by auditors. However, the end user’s cooperation can be
gained, in part, by explaining the criteria that the audit will measure. In addition, management support can be gained
by providing them with a risk analysis that identifies the exposures of EUC.

Defining the Audit Methodology

The method used to conduct the audit depends on the environment being reviewed and the agreed-upon audit
objectives. An inventory of end-user applications can be used to gain a general understanding of the EUC group. The
auditor should discuss this inventory with management to determine what type of audit should be performed. For
example, a more formal audit can be used if a specific application is being evaluated for reliance on financial
information, whereas a statistical audit that collects sample data from transactions or supporting logs can confirm end-
user practices. Auditors could also perform a quick, informal assessment by interviewing the IT staff about their
impressions of the EUC group.

Defining the Scope and Content of the Audit

The scope limits the coverage of the audit to a particular department, function, or application. The content defines what
aspects of a particular area are covered. Depending on the audit objective, the content covers general controls,
application controls, hardware and software acquisition, systems development controls, change controls problem
management, or disaster recovery.
The Audit Plan

The audit plan details the objectives and the steps to fulfill those objectives. Like any audit, an audit of a EUC group
begins with a preliminary survey or analysis of the control environment by reviewing existing policies and procedures.
During the audit, these policies and procedures should be assessed for completeness and operational efficiency. The
preliminary survey or analysis should identify the organization’s position and strategy for the EUC group and the
responsibilities for managing and controlling it.

The following are the kinds of steps performed to gather the necessary evidence on which to base audit findings,
conclusions, and recommendations.

 Evidence gathering. A review of any documentation that the end-users group uses
 Inquiry. Conducting interviews with end users and any IT support technicians
 Observation. A walk-through to become familiar with department procedures and assess physical controls
 Inventory. A physical examination of any inventoried goods or products on hand in the EUC group
 Confirmation. A review of the end users’ satisfaction surveys that were handed out and completed during
the preliminary audit planning stages
 Analytical procedures. A review of data gathered from statistical or financial information contained in
spreadsheets or other data files
 Mechanical accuracy. A re view of the information contained in any databases used by the EUC group
through testing procedures

Reviewing the End-User Computing Group’s Procedures and Objectives

IT should have policies or guidelines that cover EUC. These should be designed to protect company data. IT should
also have standards to ensure that end users are not using hardware or software that is not supported by them. There
should be a EUC policy that encompasses and is applicable to all EUC groups. If only departmental policies exist, each
policy should be similar to ensure continuity between departmental policies. A company wide policy should cover;

 Assignment of ownership of data

 User accountability
 Backup procedures
 Physical access controls to PCs
 Appropriate documentation of all EUC groups’ applications and adequate documentation changes and
modifications
 Segregation of duties