AUDITING GUIDELINES

AUDITING DATA CENTERS AND DISASTER RECOVERY

OVERVIEW

 Information technology (IT) processing facilities, usually referred to as data centers,

are at the core of most modern organizations’ operations
 In this chapter we will discuss the steps for auditing data center controls, including
the following areas:
 Physical security and environmental controls
 Data center operations
 System and site resiliency
 Disaster preparedness
DATA CENTER AUDITING ESSENTIALS

 A data center is a facility that is designed to house an organization’s critical systems,

 computer hardware,
 operating systems, and
 Applications

 Applications are leveraged to support specific business processes such as

 order fulfillment,
 Customer relationship management (CRM), and
 accounting.

 Figure shows the relationships among data center facilities, system platforms, databases, applications, and business processes
 data center facilities are at the foundation of the hierarchy
DATA CENTER THREATS

Major data center threats include the following:

 Natural threats such as weather events, flooding, earthquakes, and fire
 Manmade threats such as terrorist incidents, riots, theft, and sabotage
 Environmental hazards such as extreme temperatures and humidity
 Loss of utilities such as electrical power and telecommunications
most of these threats are physical in nature
DATA CENTER THREATS

 Often data centers in large environments and co-located facilities, physical access
might be experienced through intimidating man-traps (doors specifically designed to
allow only one person through at a time), physical guards, biometric readers, and
card-key-access authentication systems.
 However, it is easy to forget the importance of physical controls and focus your
energy on logical controls.
 Even with excellent logical access controls in place, these physical threats can compromise your
systems’ security and availability.
DATA CENTER OVERVIEW
 For those who have not worked in a data center environment
 racks of computer systems sitting on a raised floor
 miles of power and network cables are run beneath the raised floor or sometimes
through open conduits that hang from the ceiling
 generators, large power conditioners, and UPS (uninterruptible power supply)
devices or rooms filled with batteries to ensure clean, uninterrupted power
 industrial-strength heating, ventilation, and air conditioning systems

 The brain of the data center facility is the data center control center and is
usually manned by datacenter personnel
 For the purpose of the data center audit, we will explore physical security and
environmental controls; system and site resiliency controls; policies, plans, and
procedures used in governing data center operations; and controls that enable
disaster preparedness.
PHYSICAL SECURITY AND ENVIRONMENTAL CONTROLS

 Facility Access Control Systems

 Facility access control systems authenticate workers prior to providing physical entry to facilities
 Physical access control systems use the same concepts as logical access control systems for authentication
 PIN, Password, card-key system, biometric

 Alarm Systems
 Fire, water, extreme heat and humidity levels, power fluctuations, and physical intrusion threaten data center
operations, data centers should implement several different types of alarm systems.
 Burglar alarms (with magnetic door, window, or cabinet sensors; motion sensors; and sometimes audio sensors)
 Fire alarms (usually heat and/or smoke-activated sensors broken into zones that cover different parts of the facility)
 Water alarms (usually with sensors beneath the raised floor, near bathrooms, or in water pipe ducts)

 Fire Suppression Systems

PHYSICAL SECURITY AND ENVIRONMENTAL CONTROLS

System and Site Resiliency

Power
Heating, Ventilation, and Air Conditioning (HVAC)
Network Connectivity
TEST STEPS FOR AUDITING DATA CENTERS

 The following topic areas should be addressed during the data center audit:
 Neighborhood and external risk factors
 Physical access controls
 Environmental controls
 Power and electricity
 Fire suppression
 Data center operations
 System resiliency
 Data backup and restore
 Disaster recovery planning
NEIGHBORHOOD AND EXTERNAL RISK FACTORS

 When auditing a data center facility, you should first evaluate the
environment in which the data center resides. The goal is to identify high-
risk threats.
 For example, the data center you are auditing may be in the flight path of a
regional airport, a Federal Emergency Management Agency (FEMA) flood zone,
or a high-crime area
NEIGHBORHOOD AND EXTERNAL RISK FACTORS

 1. Review data center exterior lighting, building orientation, signage, fences, and
neighborhood characteristics to identify facility related risks.
 Data center facilities should provide a physically secure environment for personnel and information
systems.
 A breach of physical security, whether through a bomb, a physical intrusion, or a weather-related
event, would compromise information and personnel security.
 How?
 Signage
 Neighborhood
 Exterior Lighting
 Fences
NEIGHBORHOOD AND EXTERNAL RISK FACTORS

 2. Research the data center location for environmental hazards and to

determine the distance to emergency services.
 Environmental threats such as floods, severe weather, and transportation-related accidents can destroy or
severely damage a data center. In the event of an emergency, rapid response from authorities is critical.
Therefore, the proximity to fire stations, police stations, and hospitals is important.
 How??
 Flood Elevations
 Weather and Earth Movement Threats
 Proximity to Transportation-Related Hazards
 Proximity to Industrial Areas
 Proximity to Emergency Services
PHYSICAL ACCESS CONTROLS

 Several information security incidents have occurred in which thieves gained

unauthorized access to sensitive information by defeating physical access control
mechanisms
 Exterior doors and walls
 Access control procedures
 Physical authentication mechanisms
 Security guards
 Other mechanisms and procedures used to secure sensitive areas
PHYSICAL ACCESS CONTROLS

 3. Review data center doors and walls to determine whether they protect the facilities adequately.
 A data center’s first and most formidable line of defense should be the walls and doors used in its construction. Look closely
at how well doors and walls protect against intrusion and other hazards such as projectiles or blasts.
 How
 Raised Floors and Drop Ceilings
 Doors
 Windows
PHYSICAL ACCESS CONTROLS

 4. Evaluate physical authentication devices to determine whether they are appropriate and are
working properly.
 Physical authentication devices such as card-key readers, proximity badges, biometric devices, simplex
(combination) locks, and traditional key locks serve to allow access to authorized personnel and keep out
unauthorized personnel
 How?
 For each entry point into the data center, identify and examine the physical authentication mechanisms
 Card-Key and Proximity Devices
 Biometric Devices
 Key Locks and Combination Locks
PHYSICAL ACCESS CONTROLS

 5. Ensure that physical access control procedures are comprehensive and being followed by data center and
security staff.
 Physical access control procedures govern employee and guest access to the data center facility. If physical access control
procedures are incomplete or not enforced consistently, data center physical access will be compromised.
 How?
 Ensure that access authorization requirements are documented and clearly defined for both employees and guests
 Verify that guest access procedures include restrictions on taking pictures and outline conduct requirements within the data center
 Review a sample of both guest access and employee ID authorization requests to ensure that access control procedures are followed
 Review procedures for ensuring that data center access is removed when it is no longer required
 Determine whether management regularly reviews the physical access authorizations for validity
PHYSICAL ACCESS CONTROLS

 6. Ensure that burglar alarms and surveillance systems are protecting the data
center from physical intrusion.
 Burglar alarms and surveillance systems mitigate the risk of undetected physical intrusion by
serving as a detective control as well as a deterrent for would-be intruders
 How?
 Review the placement of intrusion sensors, verifying that critical areas of the data center are
covered adequately, and review maintenance logs to ensure that the system has been maintained and
tested properly
PHYSICAL ACCESS CONTROLS

 7. Review security guard building round logs and other

documentation to evaluate the effectiveness of the security personnel
function.
 Security guards can be one of the most effective physical access controls. They act
as a deterrent and can also control facility access and respond to incidents with
cognitive reasoning.
PHYSICAL ACCESS CONTROLS

 8. Verify that sensitive areas within the data center are secured adequately.
Ensure that all computer processing equipment essential to data center
operations (such as hardware systems and power supply breakers) is located
within the computer processing room or in a secure area.
 Data centers typically have some areas that are more sensitive than others, such as equipment
staging areas, generators, and computer systems that are processing sensitive information.
ENVIRONMENTAL CONTROLS

 9. Verify that HVAC systems maintain constant temperatures within the data center. within the
data center.
 HVAC systems are used to provide constant temperature and humidity levels. Computer systems can be
damaged by extremes in either.
 How? Review…
 Temperature and humidity logs to verify that each falls within acceptable ranges over a period of time.
 Temperature and humidity alarms to ensure data center personnel are notified of conditions when either factor
falls outside of acceptable ranges
 HVAC design to verify that all areas of the data centers are covered appropriately.
 Configuration of the HVAC systems
ENVIRONMENTAL CONTROLS

 10. Ensure that a water alarm system is configured to detect water in

high-risk areas of the data center.
 Water and electronic equipment do not mix. Data centers normally employ water
sensors in strategic locations such as near water sources or under raised floors.
POWER AND ELECTRICITY

 Redundant power feeds that provide power from two or more power stations
 Ground-to-earth to carry excess power away from systems during electrical faults
 Power conditioning systems to convert potentially dirty power to clean power
 Battery backup systems (UPSs) that provide immediate power, typically for short
periods of time
 Generators to provide sustained power during extended power losses
POWER AND ELECTRICITY

 11. Determine whether the data center has redundant power feeds.
 12. Verify that ground-to-earth exists to protect computer systems.
 13. Ensure that power is conditioned to prevent data loss.
 14. Verify that battery backup systems are providing continuous power during
momentary black-outs and brown-outs.
 15. Ensure that generators protect against prolonged power loss and are in good
working condition.
 16. Evaluate the usage and protection of emergency power-off (EPO) switches.
FIRE SUPPRESSION

 17. Ensure that data center building construction incorporates

appropriate fire suppression features
 Fire-rated walls and doors to prevent fire from moving from one area of a building
to another
 Firestops where fire-rated walls or floor assemblies are sealed to prevent the spread
of fire
 Standpipe fire hose systems to provide a ready supply of water for fire suppression
FIRE SUPPRESSION

 19. Verify that fire extinguishers are strategically placed throughout

the data center and are maintained properly.
 20. Ensure that fire suppression systems are protecting the data
center from fire.
 21. Verify that fire alarms are in place to protect the data center from
the risk of fire.
DATA CENTER OPERATIONS

 Facility monitoring
 Roles and responsibilities of data center personnel
 Segregation of duties of data center personnel
 Responding to emergencies and disasters
 Facility and equipment maintenance
 Data center capacity planning
 Asset management
DATA CENTER OPERATIONS

 22. Review the alarm monitoring console(s), reports, and procedures

to verify that alarms are monitored continually by data center
personnel.
DATA CENTER OPERATIONS

 23. Verify that network, operating system, and application monitoring provides
adequate information to identify potential problems for systems located in the data
center.
 24. Ensure that roles and responsibilities of data center personnel are clearly
defined.
 25. Verify that duties and job functions of data center personnel are segregated
appropriately.
 26. Ensure that emergency response procedures address reasonably anticipated
threats.
 27. Verify that data center facility-based systems and equipment are maintained
properly.
DATA CENTER OPERATIONS

 28. Ensure that data center personnel are trained properly to perform their job
functions.
 29. Ensure that data center capacity is planned to avoid unnecessary outages.
 30. Verify that procedures are present to ensure secure storage and disposal of
electronic media.
 31. Review and evaluate asset management for data center equipment.
SYSTEM RESILIENCY

 32. Ensure that hardware redundancy (redundancy of components

within a system) is used to provide high availability where required.
 Failure of system components will cause system outages and data loss. When high system availability is
required, systems should contain redundant system components such as Redundant Array of Inexpensive Disks
(RAID) and redundant power supplies.

 33. Verify that duplicate systems are used where very high system
availability is required.
 If system downtime will result in significant costs or loss of revenue to the business and system downtime
cannot be tolerated, duplicate (redundant) systems are used to provide for automatic failover in the event of a
system crash
DATA BACKUP AND RESTORE

 34. Ensure that backup procedures and capacity are appropriate for respective systems.
 Typically, backup procedures come in the form of backup schedules, tape rotations, and an off-site storage
process. Depending on the maximum tolerable downtime, system backup schedules could be as frequent as
real time or as infrequent as monthly
 35. Verify that systems can be restored from backup media.
 There is no reason to back up information unless restore is possible; unfortunately, however,
organizations rarely test backup media to ensure that system restore works properly
 36. Ensure that backup media can be retrieved promptly from off-site storage facilities.
 Often, backup media cannot be retrieved from off-site storage facilities. This is due to backup media
being marked improperly or placed in the wrong location. This situation can cause either undue delay in
restoring systems or a complete loss of data.
DISASTER RECOVERY PLANNING

 37. Ensure that a disaster recovery plan (DRP) exists and is comprehensive and that key
employees are aware of their roles in the event of a disaster.
 If a disaster strikes your only data center and you don’t have a DRP, the overwhelming odds are that your
organization will suffer a large enough loss to cause bankruptcy.
 Disaster recovery, therefore, is a serious matter.
 How?? Ensure that a DRP exits, and
 Verify that the DRP covers all systems and operational areas
 Verify that a current copy of the DRP is maintained at a secured, off-site location
 Review the results of the last disaster recovery exercise
DISASTER RECOVERY PLANNING

 38. Ensure that DRPs are updated and tested regularly.

 39. Verify that parts inventories and vendor agreements are accurate
and current.
 40. Ensure that emergency operations plans address various disaster
scenarios adequately