A U D ITIN G D ATA C EN TER S

A N D D IS A S TER
R EC O V ER Y
Subtitle

Title and Content Layout w ith List

Information technology (IT) processing facilities, usually referred
to as data centers, are at the core of most modern organizations
operations, supporting almost all critical business activities. In this
chapter we will discuss the steps for auditing data center controls,
including the following areas:
Physical security and environmental controls
Data center operations
System and site resiliency
Disaster preparedness

B ackg rou n d
Ever since the first general-purpose electronic
computer (the Electronic Numerical Integrator
and Computer, or ENIAC) was created in 1946,
computer
systems
have
had
specific
environmental, power, and physical security
requirements. Beginning in the late 1950s, as
mainframe
computers
became
more
widelyavailable, data centers were created for
the
express
purpose
of
meeting
these
requirements. Now, most organizations have their
own data centers or co-locate their systems in a

D ata C en ter A u d itin g Essen tials

A data center is a facility that is designed to house an
organizations critical systems, which comprise computer hardware,
operating systems, and applications. Applications are leveraged to
support specific business processes such as order fulfillment,
customer relationship management (CRM), and accounting.
Figure 4-1shows the relationships among data center facilities,
system platforms, databases, applications, and business processes.

P h ysical S ecu rity an d En viron m en tal

C on trols
Data centers incorporate several types of
facility-based controls, commonly referred
to asphysical security and environmental
controls, including facility access control
systems,
alarm
systems,
and
fire
suppression systems. These systems are
designed
toprevent
unauthorized
intrusion, detect problems before they
cause damage,and prevent the spread of
fire.

Facility A ccess C on trol S ystem s

Facility access control systems authenticate workers prior to
providing physical entry to facilities, with the goal of protecting the
information systems that reside within the data center. Physical
access control systems use the same concepts as logical access
control systems for authentication based on something you know,
something you have, or something you are. For example, the
something you know may be a PIN code for a door. The something
you have might include card-key systems or proximity badge
systems, or you may have a physical key to unlock a door. In some
cases, the access control system can be a standard key lock or
simplex lock, although youll see later that these are not preferred
standalone mechanisms for controlling access. The something you
are may include biometric devices that read fingerprints, hand
geometry, and even retina characteristics to authenticate individuals
who need to enter the facility.

A larm S ystem s
Because fire, water, extreme heat and humidity levels, power fluctuations, and
physical intrusion threaten data center operations, data centers should implement
several different types of alarm systems. Specifically, you will normally see the
following types of alarms:
Burglar alarms (with magnetic door, window, or cabinet sensors; motion sensors;
and sometimes audio sensors)
Fire alarms (usually heat and/or smoke-activated sensors broken into zones that
cover different parts of the facility)
Water alarms (usually with sensors beneath the raised floor, near bathrooms, or in
water pipe ducts)
Humidity alarms (normally with sensors disbursed throughout the facility)
Power fluctuation alarms (with sensors near the logical point of entry)
Chemical or gas alarms (sometimes in battery rooms and near air intakes)

Fire S u p p ression S ystem s

Because of the large amount of electrical
equipment, fire is a major threat to data
centers. Therefore, data centers normally
are equipped with sophisticated firesuppression systems and should have a
sufficient number of fire extinguishers.
Generally
speaking,
fire-suppression
systems come in two varieties: water-based
systems and gas-based systems.

S ystem an d S ite R esilien cy

Because the computer systems that reside in a
data center are leveraged to automate business
functions, they must be available any time the
business operates. Therefore, data centers
incorporate various types of controls to ensure
that systems remain available to perform critical
business operations. These controls are designed
to protect power, the computing environment,
and wide area networks (WANs).

H eatin g , V en tilation , an d A ir
C on d ition in g (H VA C )
Extreme temperature and humidity
conditions can cause damage to computer
systems. Because computers require
specific
environmental
conditions
to
operate reliably, HVAC systems are
required controls. Data centers typically
provide sophisticated redundant systems to
maintain
constant
temperature
and
humidity and often provide double the
required capacity.

N etw ork C on n ectivity

Whether from internal networks or the
Internet, users access information systems
residing within data center facilities
through network connections. Network
connectivity is critical. More often than not,
data center facilities have redundant
Internet and WAN connections via multiple
carriers. If one carrier experiences a
network outage, service to the facilities can
be provided by another carrier.

D ata C en ter O p eration s

Although data centers are designed to be automated, they do
require a staff to operate. As a result, data center operations should
be governed by policies, plans, and procedures. The auditor should
expect to find the following areas covered by policies, plans, and
procedures:
Physical access control
System and facility monitoring
Facility and equipment planning, tracking, and maintenance
Response procedures for outages, emergencies, and alarm
conditions

D isaster P rep ared n ess

All data centers are susceptible to natural and manmade
disasters. History shows that when disaster strikes a data center, the
organizations such facilities serve come to a screeching halt. The
auditors job is to identify and measure physical and administrative
controls at the facility that mitigate the risk of data-processing
disruptions, including the following:
System resiliency
Data backup and restore
Disaster recovery planning

D isaster Recovery Planning

Prevention(pra-bencana): Pra-perencanaan diperlukan (seperti menggunakan
server mirror, memelihara situs hot sites, pelatihan tenaga pemulihan bencana)
untuk meminimalkan dampak keseluruhan bencana pada sistem dan sumber daya.
Pra-perencanaan ini juga memaksimalkan kemampuan sebuah organisasi untuk pulih
dari bencana.
Continuity(saat bencana): Proses pemeliharaan inti, mission-critical sistem dan
sumber daya kerangka (aset minimal yang dibutuhkan untuk menjaga sebuah
organisasi dalam status operasional) dan/atau menginisiasi hot sites sekunder selama
bencana. Langkah-langkah continuitymenjaga sistem dan sumber daya perusahaan.
Recovery(pasca bencana): Langkah-langkah yang diperlukan untuk pemulihan
dari semua sistem dan sumber daya untuk menjadi status operasional normal.
Organisasi dapat mengurangi waktu pemulihan dengan berlangganan ke quick-ship
programs (penyedia layanan pihak ketiga yang dapat memberikan pra-konfigurasi
penggantian sistem untuk setiap lokasi dalam jangka waktu yang tetap) atau dapat
juga disebut dengan vendor.