Download presentation
Presentation is loading. Please wait.
Published byEthan Rice Modified over 9 years ago
1
Audit Considerations of Data Center Consolidation Jon Ingram Audit Manager Information Technology Audits Florida Auditor General 1
2
Florida’s Data Center Consolidation Agency IT systems being transferred to three primary data centers (PDCs) – “as is.” Transition of custodial responsibilities for IT equipment. Standardization of IT services and infrastructure to occur later. Agencies can use more than one PDC – and some do. Agencies keep most application support functions. PDCs and customers required by law to negotiate service level agreements. Audit impact – need for clear auditor understanding of division of PDC and customer responsibilities. 2
3
Primary Data Center Audits Some IT controls that are now the responsibility of the PDC are relevant to multiple customers. Efficiencies have been gained by auditing the PDCs vs. just auditing as part of audits of customer systems. Audits of PDCs to be done on periodic cycle. 3
4
Considerations for Audits of Customer Systems Determine which PDC(s) the customer is using. Understand the division of responsibilities between the PDC and the customer for the controls relevant to your audit objectives. Determine if the PDC has been recently audited and if the controls tested in the PDC audit are relevant to your audit objectives for the customer system. Determine if a service level agreement exists between the auditee and the PDC. 4
5
Service Level Agreements (SLAs) Florida law requires the PDCs and their customers to execute SLAs. SLA governs the relationship between the PDC and the customer. SLA should define the roles, responsibilities, and expectations of both parties. SLA should define the IT services to be provided by the PDC. SLA is a responsibility of both parties - the PDC and the customer. 5
6
Service Level Agreements (SLAs) Audit Considerations SLA is a good source of information on services to be provided by the PDC and the responsibilities of the customer. Lack of SLA is a potential compliance issue for both parties and could be relevant in audits of both parties. If no SLA, more difficult for auditor to determine what IT services and other expectations have been agreed upon by both parties. Lacking or poorly written SLA may increase risk that significant responsibilities are not met. 6
7
Information Security – Both PDC & Customer Are Responsible Data custodian now organizationally separate from data owner. Customer reliant on PDC for certain aspects of information security. Customer retains responsibility for other aspects of information security. 7
8
Information Security Audit Considerations Have customer security requirements and expectations been clearly communicated and agreed upon in writing? Likewise for PDC security requirements and expectations? Do customer and PDC security risk assessments and security plans appropriately address the division of responsibilities? 8
9
Logical Access Controls PDC may act as access administrator for the customer. For example, mainframe-level access privileges or rules in packages such as RACF or ACF2. 9
10
Logical Access Controls Audit Considerations Does an appropriate process exist for notifying PDC of changes in access requirements, especially terminations? Does PDC provide the customer appropriate reports for reviews of access? From whom should auditor request records of access privileges – the customer or the PDC? Possible impact on separation of duties and appropriateness of access? 10
11
Physical Access Controls at PDC During transition, some customers still own and retain responsibilities for operating and maintaining their IT equipment. Customer employees are granted access to PDC facilities. 11
12
Physical Access Controls Audit Considerations Is there a process for customer to authorize who can access their IT equipment being housed at the PDC? Does customer review physical access listing on regular basis? Does an appropriate process exist for removing physical access of former or reassigned customer employees? Is access to IT equipment of other customers appropriately restricted? 12
13
Network Controls Division of network responsibilities between PDC and customer. Each responsible for their own network infrastructure. Division of responsibilities may differ depending on nature of application infrastructure and services provided by PDC to the customer you are auditing. Audit consideration - where is the point of demarcation? 13
14
Change Controls Application change control staying with customers. Audit consideration – what is the division of responsibilities between customer and PDC for non-application change management? For example, what about IT infrastructure configuration management? 14
15
Disaster Recovery Audit Considerations Has customer ensured that the SLA sufficiently addresses disaster recovery services to be provided by the PDC? If not explicitly defined in the SLA, is customer in a position to rely on PDC for needed backup and recovery services? 15
16
Cost Allocation and Billing Audit Considerations Is there an agreed-upon methodology? Is it consistent, equitable, and documented? Does it adequately cover the PDC’s near-term cost? How are long-term PDC capital requirements addressed? Does it accommodate external cost reporting requirements of customers (e.g., Federal cost allocation requirements)? 16
17
Future Audit Considerations Revisit audit procedures as full service transfer is completed. Impact on customers of PDC movement toward standardized services and infrastructure. Capacity planning of PDCs. – Floor space. – Power. – Environmental controls (e.g., cooling). 17
18
Questions? 18
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.