WIXLIB

FINALInternal AuditReportData CentreOperations andSecurityDocument Details:Reference:Report nos from monitoring spreadsheet/2013.14Senior Manager, Internal Audit & Assurance:ext. 6567Engagement Manager:Auditor:Date: 17 September 2014This report is not for reproduction publication or disclosure by any means to unauthorised persons.Page 1

Internal Audit Report – Data Centre Operations and Security1. EXECUTIVE SUMMARY1.1INTRODUCTIONAs part of the 2014/15 Internal Audit Plan an audit of the ‘Data centre operations andsecurity’ was carried out.The objective of this review is to evaluate the security of the data centre, in particularthe following areas: data centre policies and procedures are defined, documented, andcommunicated for all key functions; Council systems are secured to prevent unauthorised access (including 3rdparty access); access to the data centre is monitored and reviewed, and access rights areperiodically reviewed; data is backed up from servers held at the civic data centre; data transferred off site is secured at all times and appropriate controls are inplace to monitor the location of the data; environmental controls are present to protect the servers from fire, electrical andwater damage; capacity for the data centre is adequate for the server rooms equipment andstorage needs; environmental equipment is routinely maintained in line with manufacturerrecommended schedules; and backup electricity supplies are in place to ensure systems and services are notaffected in the event of a power outage.1.2OVERALL OPINIONThe overall opinion of this review is ‘significant assurance’.There are some areas that are appropriately managed and in line with acceptable goodpractice, including: A computer room policy has been developed and is reviewed on an annualbasis; Backup schedules are in place and failed backups are monitored and actionedby ICT staff; An offsite location is used for storage of backup tapes; and Storage capacity for the data centre is considered adequate based on the plansof ICT.However, we also identified a number of areas that require improvement, and havethus led to the ‘limited assurance’ rating: Failure to test restores of critical applications regularly;Lack of documented back up policy and procedures;Excessive computer room access;A lack of regular review of the computer room access;Page 2

Internal Audit Report – Data Centre Operations and Security Lack of formalised computer room training as required by the computer roompolicy;Lack of a visitors register in the computer room, as required by the computerroom policy;Lack of a fire suppression system; andThe backup process is inefficient due to the increase of data over the last fiveyears.Recommendations 7 and 8 are included for completeness. Management have agreed aresponse to these recommendations in the Disaster Recovery audit report. Theserecommendations have not influence the overall opinion.Overall Audit OpinionFull assuranceFull assurance that the system of internal control meetsthe organisation’s objectives and controls areconsistently applied. SignificantassuranceSignificant assurance that there is a generally soundsystem of control designed to meet the organisation’sobjectives. However, some weaknesses in the design orinconsistent application of controls put the achievementof some objectives at some risk.LimitedassuranceLimited assurance as weaknesses in the design orinconsistent application of controls put the achievementof the organisation’s objectives at risk in some of theareas reviewed.No assuranceNo assurance can be given on the system of internalcontrol as weaknesses in the design and/or operation ofkey control could result or have resulted in failure(s) toachieve the organisation’s objectives in the area(s)reviewed.Page 3

Internal Audit Report – Data Centre Operations and Security2. SUMMARY OF CONCLUSIONS2.1The conclusion for each control objective evaluated as part of this audit was as follows:Control ObjectiveFullCO1: data centre policies and procedures aredefined, documented, and communicated for all keyfunctions;CO2: Council systems are secured to preventunauthorised access (including 3rd party access);CO3: access to the data centre is monitored andreviewed, and access rights are periodicallyreviewed;CO4: data is backed up from servers held at thedata centre;CO5: data transferred off site is secured at all timesand appropriate controls are in place to monitor thelocation of the data;CO6: environmental controls are present to protectthe servers from fire, electrical and water damage;CO7: capacity for the data centre is adequate forthe server rooms equipment and storage needsCO8: environmental equipment is routinelymaintained in line with manufacturer recommendedschedulesCO9: backup electricity supplies are in place toensure systems and services are not affected in theevent of a power outage AssuranceSignificant LimitedNone 2.2The recommendations arising from the review are ranked according to their level ofpriority as detailed at the end of the report within the detailed audit findings.Recommendations are also colour coded according to their level of priority with thehighest priorities highlighted in red, medium priorities in amber and lower priorities ingreen. In addition, the detailed audit findings include columns for the managementresponse, the responsible officer and the time scale for implementation of all agreedrecommendations.2.3Where high recommendations are made within this report it would be expected thatthey should be implemented within three months from the date of the report to ensurethat the major areas of risk have either been resolved or that mitigating controls havebeen put in place and that medium and low recommendations will be implementedwithin six and nine months respectively.Page 4

Internal Audit Report – Data Centre Operations and Security3. LIMITATIONS REGARDING THE SCOPE OF THE AUDITThe scope of our work will be limited to those areas outlined above.4. ACKNOWLEDGEMENTSAudit would like to thank all involved for their assistance during this review.Page 5

Internal Audit Report – Data Centre Operations and Security5. DETAILED AUDIT FINDINGSRef.PriorityFindingsCO1: Policies and Procedures1LowLack of Backup Policy andProceduresOn inspection of the Computerroom policy, it was noted thatthe document does not containany details on the backuppolicy and procedure.We accept that the off-sitebackup storage arrangementsare detailed in the IT DisasterRecovery document.CO2: Access to the data centre2HighExcessive access toComputer RoomOn inspection of the access listdated 14 August 2014, wenoted that there are a total of65 access cards that providestaff access to the County Hallcomputer room.Examples of these include thefollowing: 20 temporary passesheld by Reception; Senior Internal Auditor;Risk Arising/ConsequenceRecommendationManagement ResponseIn the absence of adocumented backuppolicy and procedure,there is an increasedrisk that backups arenot performed in linewith ICT’srequirements. Thismay result in the lossof data, interruption ofICT services andoperational difficulties.We recommend that theComputer Room policy isexpanded to include thebackup cycle, backup transitand storage arrangements.The Computer Room Policyand description of the databack-up and restore serviceare given in two separatedocuments. These can becombined, giving the back-upand restore weight by placingit into policy.ServiceOperationsManager,End November2014.Unauthorised/inappropriate physical accessto the computer roommay result inaccidental ormalicious damage toICT equipmentresulting in loss ofdata, interruption ofICT services andoperational difficulties.The access to all computerrooms should be restrictedto and other who requireaccess to perform theirresponsibilities.The current security groupused within the Door AccessControl System (Net2) tocover the computer rooms isalso shared with other dutystaff requiring access 'allhours, all doors'.TechnicalServicesmanager, endNovember2014.The access list should bereviewed by managementon a regular basis to ensurethat the access granted isvalid. Proof of the reviewshould be maintained.This is inappropriate, assome staff will require openaccess to most areas, butnot the computer areas.S&CA have already arrangedwith Facilities to create aResponsibility Recommendationand TimescaleImplemented(Officer & Date)

Internal Audit Report – Data Centre Operations and SecurityRef.PriorityFindings Risk Arising/ConsequenceRecommendationManagement ResponseResponsibility Recommendationand TimescaleImplemented(Officer & Date)dedicated access group forComputer rooms. This willbe used for appropriate staffwho require access to thecomputer rooms only.Audit assistantTwo members of theapplications team;One staff member fromAdult Services &Health;One staff member fromChildren’s Services;Six temporarycontractors; andOne leaver who hasnot yet been removed.Access to the computerrooms will be removed fromthe 'all hours, all doors'group.We accept that part of theissues arises due to Receptionissuing an ‘all hours all doors’pass, that is out of the controlof ICT.3MediumComputer Room AccessLoggingThe computer room policystates that ‘access to thecentral computer rooms mustbe logged. For regular staffthis can be via the automatedAccess Control System, forother staff, this must be via anelectronic or manual bookingsystem administered centrally.The 'booking system' shouldUnauthorised/inappropriate physical accessto the computer roommay result inaccidental ormalicious damage toICT equipmentresulting in loss ofdata, interruption ofICT services andoperational difficulties.Where non authorised staffrequire access to thecomputer room, they shouldbe accompanied by amember of the ICT teamand their access logged(utilising an access logform).The log should be reviewedby Management on aregular basis (monthly), toidentify any unauthorisedaccess.Agreed, S&CA will create amanual logging process thatcan be used to recordaccess for individuals that donot have access right to thecomputer room within theirown responsibility.Will record Date/time Who requires accessReason for accessTechnicalServicesmanager, endNovember2014.