DATA CENTER OPERATIONS CALIFORNIA STATE UNIVERSITY, DOMINGUEZ HILLS. Audit Report June 15, 2012

Similar documents
DATA CENTER OPERATIONS CALIFORNIA STATE UNIVERSITY, LONG BEACH. Audit Report July 24, 2012

Any observations not included in this report were discussed with your staff at the informal exit conference and may be subject to follow-up.

Any observations not included in this report were discussed with your staff at the informal exit conference and may be subject to follow-up.

Subject: Audit Report 16-50, IT Disaster Recovery, California State University, Fresno

Subject: Audit Report 18-84, IT Disaster Recovery, California State University, Sacramento

HIPAA COMPLIANCE CALIFORNIA STATE UNIVERSITY, LOS ANGELES. Audit Report October 29, 2010

SENSITIVE DATA SECURITY AND PROTECTION CALIFORNIA STATE UNIVERSITY, CHANNEL ISLANDS. Audit Report June 25, 2013

EMERGENCY MANAGEMENT

SENSITIVE DATA SECURITY AND PROTECTION CALIFORNIA STATE UNIVERSITY, SAN BERNARDINO. Audit Report July 10, 2013

ART CENTER AND SATELLITE PLANT

General Information Technology Controls Follow-up Review

Number: USF System Emergency Management Responsible Office: Administrative Services

Standard: Data Center Security

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

INFORMATION SECURITY CALIFORNIA STATE UNIVERSITY, EAST BAY. Audit Report January 13, 2010

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

UCLA AUDIT & ADVISORY SERVICES

INFORMATION SECURITY CALIFORNIA STATE UNIVERSITY, CHICO. Audit Report November 7, 2008

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

Standard CIP Cyber Security Critical Cyber Asset Identification

STATE OF NORTH CAROLINA

Subject: University Information Technology Resource Security Policy: OUTDATED

The University of British Columbia Board of Governors

SECURITY & PRIVACY DOCUMENTATION

Information Security Policy

Office of MN.IT Services Data Centers

01.0 Policy Responsibilities and Oversight

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Standard CIP Cyber Security Critical Cyber Asset Identification

Information Technology General Control Review

STATE OF NORTH CAROLINA

Opportunity Lives Here

REPORT 2015/149 INTERNAL AUDIT DIVISION

STATE OF NORTH CAROLINA OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA FAYETTEVILLE STATE UNIVERSITY

Policy and Procedure: SDM Guidance for HIPAA Business Associates

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

Policies and Procedures Date: February 28, 2012

UTAH VALLEY UNIVERSITY Policies and Procedures

XAVIER UNIVERSITY Building Access Control Policy

Apex Information Security Policy

REPORT 2015/186 INTERNAL AUDIT DIVISION

STAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:

TUFTS HEALTH PLAN CORPORATE CONTINUITY STRATEGY

Facility Security Policy

U.S. Department of Health and Human Services (HHS) The Office of the National Coordinator for Health Information Technology (ONC)

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

Data Backup and Contingency Planning Procedure

B. To ensure compliance with federal and state laws, rules, and regulations, including, but not limited to:

Applications/Data To Include in Survey (include applications that meet one or more of the following criteria)

Statewide Information Technology Contingency Planning

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017

San Francisco Chapter. What an auditor needs to know

ASSURING BUSINESS CONTINUITY THROUGH CONTROLLED DATA CENTER

INFORMATION TECHNOLOGY DATA MANAGEMENT PROCEDURES AND GOVERNANCE STRUCTURE BALL STATE UNIVERSITY OFFICE OF INFORMATION SECURITY SERVICES

Security and Privacy Governance Program Guidelines

Trust Services Principles and Criteria

Public Safety Canada. Audit of the Business Continuity Planning Program

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

STATE OF NORTH CAROLINA

GAO INFORMATION SECURITY. Veterans Affairs Needs to Address Long-Standing Weaknesses

REPORT 2015/010 INTERNAL AUDIT DIVISION

Texas A&M University: Learning Management System General & Application Controls Review

NYS DFS Cybersecurity Requirements. Stephen Head Senior Manager Risk Advisory Services

Regulation P & GLBA Training

The Texas A&M University System Internal Audit Department MONTHLY AUDIT REPORT

UCOP Guidelines for Protection of Electronic Personal Information Data and for Security Breach Notification

Internal Audit Report. Electronic Bidding and Contract Letting TxDOT Office of Internal Audit

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY September 20, 2017

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Table of Contents. Sample

Making YOUR Organization More Efficient and Effective Through Business Continuity / Continuity of Operations Planning

AUDIT REPORT. Network Assessment Audit Audit Opinion: Needs Improvement. Date: December 15, Report Number: 2014-IT-03

Inspector General. Report on the Peace Corps Information Security Program. Peace Corps Office of. Background FISCAL YEAR 2017

INFORMATION TECHNOLOGY ( IT ) GOVERNANCE FRAMEWORK

Critical Cyber Asset Identification Security Management Controls

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

We are releasing 7 pages of responsive documents. Pursuant to FOIA, certain information has been redacted as it is exempt from release.

SOC 3 for Security and Availability

Security of Information Technology Resources IT-12

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Corporate Governance and Internal Control

Information Security Policy

Information Security Data Classification Procedure

Annual Report on the Status of the Information Security Program

PHYSICAL & ENVIRONMENTAL PROTECTION GUIDE

CONTINGENCY PLANNING GUIDE

Virginia Commonwealth University School of Medicine Information Security Standard

manner. IOPA conducts its reviews in conformance with Government Auditing Standards issued by the Comptroller General of the United States.

Memorandum APPENDIX 2. April 3, Audit Committee

Information Services IT Security Policies L. Network Management

Checklist: Credit Union Information Security and Privacy Policies

Isaca EXAM - CISM. Certified Information Security Manager. Buy Full Product.

The next generation of knowledge and expertise

Cyber Security Program

The Common Controls Framework BY ADOBE

GEORGIA CYBERSECURITY WORKFORCE ACADEMY. NASCIO 2018 State IT Recognition Awards

EXHIBIT A. - HIPAA Security Assessment Template -

IJESRT. (I2OR), Publication Impact Factor: (ISRA), Impact Factor: 2.114

Transcription:

DATA CENTER OPERATIONS CALIFORNIA STATE UNIVERSITY, DOMINGUEZ HILLS Audit Report 12-31 June 15, 2012 Henry Mendoza, Chair William Hauck Steven M. Glazer Glen O. Toney Members, Committee on Audit University Auditor: Larry Mandel Senior Director: Michael Caldera IT Audit Manager: Greg Dove Staff BOARD OF TRUSTEES THE CALIFORNIA STATE UNIVERSITY

CONTENTS Executive Summary... 1 Introduction... 3 Background... 3 Purpose... 5 Scope and Methodology... 6 OBSERVATIONS, RECOMMENDATIONS, AND CAMPUS RESPONSES Physical Security... 7 Data Center Alarm... 7 Network Closet Security... 7 Fire Protection and Environmental Controls... 8 Emergency Preparedness and Training... 9 ii

CONTENTS APPENDICES APPENDIX A: APPENDIX B: APPENDIX C: Personnel Contacted Campus Response Chancellor s Acceptance ABBREVIATIONS CIO CSU FISMA ICSUAM IT OUA SAM Chief Information Officer California State University Financial Integrity and State Manager s Accountability Act Integrated CSU Administrative Manual Information Technology Office of the University Auditor State Administrative Manual iii

EXECUTIVE SUMMARY As a result of a systemwide risk assessment conducted by the Office of the University Auditor (OUA) during the last quarter of 2011, the Board of Trustees, at its January 2012 meeting, directed that Data Center Operations be reviewed. The OUA had previously reviewed some aspects of Data Center Operations in the 2008 and 2009 audits of Information Security and the 2010 and 2011 audits of IT Disaster Recovery Planning. The OUA also reviewed Data Center Operations in the biennial Financial Integrity and State Manager s Accountability Act (FISMA) audits, the last of which was performed on campus in 2008. We visited the Dominguez Hills campus from February 20, 2012, through March 9, 2012, and audited the procedures in effect at that time. Our study and evaluation did not reveal any significant internal control problems or weaknesses that would be considered pervasive in their effects on controls over data center operations. However, we did identify other reportable weaknesses that are described in the executive summary and body of this report. In our opinion, the operational and administrative controls over data center operations in effect as of March 9, 2012, taken as a whole, were sufficient to meet the objectives stated in the Purpose section of this report. As a result of changing conditions and the degree of compliance with procedures, the effectiveness of controls changes over time. Specific limitations that may hinder the effectiveness of an otherwise adequate system of controls include, but are not limited to, resource constraints, faulty judgments, unintentional errors, circumvention by collusion, and management overrides. Establishing controls that would prevent all these limitations would not be cost-effective; moreover, an audit may not always detect these limitations. Our audit did not examine all controls over data center operations but was designed to assess management controls, increase awareness of the topic, and assess regulatory compliance for significant data center operations categories that are prevalent in the California State University environment. The following summary provides management with an overview of conditions requiring attention. Areas of review not mentioned in this section were found to be satisfactory. Numbers in brackets [ ] refer to page numbers in the report. PHYSICAL SECURITY [7] The campus data center was not equipped with a security alarm, and network wiring rooms in certain buildings were not adequately secured to prevent unauthorized access to network switches. FIRE PROTECTION AND ENVIRONMENTAL CONTROLS [8] Information technology personnel who worked in and near the data center had not been trained in the operation of the center s Halon fire suppression system. Page 1

EXECUTIVE SUMMARY EMERGENCY PREPAREDNESS AND TRAINING [9] The campus did not have documented data center emergency procedures, and disaster instructions were not posted prominently throughout the data center or on the employee bulletin board. Page 2

INTRODUCTION BACKGROUND Integrated California State University Administrative Manual (ICSUAM) 8000.0, Information Security Policy, dated April 19, 2010, represents the most recent and specific guidance to campuses regarding the security and protection of data center operations. It provides direction for managing and protecting the confidentiality, integrity, and availability of California State University (CSU) information assets and defines the organizational scope of information security throughout the system. Specifically, the policy states that the Board of Trustees is responsible for protecting the confidentiality, integrity, and availability of CSU information assets. Unauthorized modification, deletion, or disclosure of information assets can compromise the mission of the CSU, violate individual privacy rights, and possibly constitute a criminal act. ICSUAM 8000.0 further states that it is the collective responsibility of all users to ensure the confidentiality of information that the CSU must protect from unauthorized access; the integrity and availability of information stored on or processed by CSU information systems; and compliance with applicable laws, regulations, and CSU or campus policies governing information security and privacy protection. The policy applies to all campuses; central and departmentally managed campus information assets; all users employed by campuses or any other person with access to campus information assets; all categories of information, regardless of the medium in which the information asset is held or transmitted (e.g., physical or electronic); and information technology facilities, applications, hardware systems, and network resources owned or managed by the CSU. ICSUAM 8080 states that each campus must identify physical areas that must be protected from unauthorized physical access. Such areas include data centers and other locations on the campus where information assets containing protected data are stored. Campuses must protect these limited-access areas from unauthorized physical access while ensuring that authorized users have appropriate access. Campus information assets that access protected data located in public and non-public access areas must be physically secured to prevent theft, tampering, or damage. The level of protection provided must be commensurate with that of identifiable risks. Campuses must review and document physical access rights to campus limited-access areas annually. State Administrative Manual (SAM) 5330 states that physical security practices prevent unauthorized physical access, damage, and interruption to an agency s assets. Physical security practices for each facility must be adequate to protect the most sensitive information technology application housed in that facility. Agencies must take the appropriate physical security measures to provide for: management control of physical access to information assets (including personal computer systems, computer terminals, and mobile devices) by agency staff and outsiders; prevention, detection, and suppression of fires; and prevention, detection, and minimization of water damage and loss or disruption of operational capabilities due to electrical power fluctuations or failure. SAM 5335 states that agencies are responsible for the management and operation of their information processing facilities. The security program should identify and document the appropriate practices to Page 3

INTRODUCTION ensure the integrity and security of the agency s information assets. SAM 5335 references International Standards Organization 17799 Section 9, Physical and Environmental Security, and National Institute of Standards and Technology Special Publication 800-12 (Chapter 15), along with other standards and guidance criteria. Historically, data center operations were reviewed by the CSU Office of the University Auditor (OUA) as part of cyclical audits based on the Financial Integrity and State Manager s Accountability Act (FISMA) of 1983, passed by the California Legislature and detailed in Government Code 13400 through 13407. Beginning in calendar year 2010, cyclical FISMA audits were reevaluated and discontinued due to a change in the OUA audit risk assessment methodology. Using the new procedure, the OUA worked with CSU campus executive management to identify high-risk areas on each campus. Data Center Operations was selected as a high-risk area to review in 2012. Page 4

INTRODUCTION PURPOSE Our overall audit objective was to ascertain the effectiveness of existing policies and procedures related to the administration and control of data center operations; determine the adequacy of controls over the related processes; and ensure compliance with relevant governmental regulations, Trustee policy, Office of the Chancellor directives, and campus procedures. Within the overall audit objective, specific goals included determining whether: Certain essential administrative and managerial internal controls are in place, including delegations of authority and responsibility, management committees, and documented policies and procedures. Data processing facilities employ physical security safeguards for achieving and maintaining appropriate protection of organizational assets. Data processing facilities contain adequate fire supression provisions and employ controls that help maintain a proper operating environment. Handling procedures for backup media ensure that the movement and storage of tapes is controlled and accountable. Formal event reporting and escalation procedures are in place for job scheduling. Change management procedures are sufficient to ensure that modifications to the systems or network are authorized. Management review of help desk activities ensures a proactive approach toward determining whether there is a systemic cause to problems reported. Page 5

INTRODUCTION SCOPE AND METHODOLOGY The proposed scope of the audit as presented in Attachment A, Audit Agenda Item 2 of the January 24 and 25, 2012, meeting of the Committee on Audit stated that Data Center Operations would include review and compliance with Trustee policy, federal and state directives, and campus policies and procedures; physical security provisions; environmental controls; processing and scheduling controls; backup and recovery processes; and emergency preparations. Our study and evaluation were conducted in accordance with the International Standards for the Professional Practice of Internal Auditing issued by the Institute of Internal Auditors and included the audit tests we considered necessary in determining that operational and administrative controls are in place and operative. This review emphasized, but was not limited to, compliance with state and federal laws, Board of Trustee policies, and Office of the Chancellor and campus policies, letters, and directives. The audit review focused on procedures currently in effect. We focused primarily upon the administrative, compliance, operational, and technical controls over the campus data center, network rooms, and personnel operations. Specifically, we reviewed and tested: Data center policies and procedures. Computer operations organizational structure and management framework. Physical security over data processing facilities. Fire prevention and environmental controls. Emergency preparedness and training. Storage and handling of backup media. Job scheduling. Change management. Help desk support. Our testing and methodology was designed to provide a managerial-level review of key data processing practices over data center operations. Our review did not examine all categories of computer operations; selected IT processes not related to the data center or related data processing facilities were excluded from the scope of the review. Our testing approach was designed to provide a view of the security and controls used to protect only key computing and business processes. Page 6

OBSERVATIONS, RECOMMENDATIONS, AND CAMPUS RESPONSES PHYSICAL SECURITY DATA CENTER ALARM The campus data center was not equipped with a security alarm. Integrated California State University Administrative Manual (ICSUAM) 8080, Physical Security, dated April 19, 2010, states that each campus must identify physical areas that must be protected from unauthorized physical access. California State University, Dominguez Hills VISC Data Center Physical Control Guideline states that campus physical controls must be adequate to protect critical or protected data. Such controls must prevent, detect, suppress fire, water damage, and loss or disruption of operational capabilities due to electrical power fluctuations or failure. The chief information officer (CIO) stated that the computer room has locked doors and external surveillance cameras, and the entire building is locked at night. Failure to detect unauthorized entry to the server room increases the risk of security breaches and theft of computing equipment. Recommendation 1 We recommend that the campus evaluate the feasibility of installing a security alarm. Campus Response We concur. The campus has evaluated the feasibility of installing a security alarm system and has made a decision to move forward on the installation of the alarm. Expected completion date: Completed NETWORK CLOSET SECURITY Network wiring rooms in certain buildings were not adequately secured to prevent unauthorized access to network switches. Specifically, we noted that: The network rack in the theater building was located in an open stairwell and was unlocked. The network box in the gymnasium was unlocked. Several rooms had roof access that was not appropriately secured. Two rooms were accessible to janitorial personnel. Page 7

OBSERVATIONS, RECOMMENDATIONS, AND CAMPUS RESPONSES ICSUAM 8080, Physical Security, dated April 19, 2010, states that each campus must identify physical areas that must be protected from unauthorized physical access. California State University, Dominguez Hills VISC Data Center Physical Control Guideline states that campus physical controls must be adequate to protect critical or protected data. Such controls must prevent, detect, suppress fire, water damage, and loss or disruption of operational capabilities due to electrical power fluctuations or failure. The CIO stated that the campus had designed secure network rooms in the newer buildings, but that some of the older locations were shared with campus facility operations, and additional coordination of security requirements was needed. Failure to prevent unauthorized access to network rooms increases the risk of security breaches and theft of computing equipment. Recommendation 2 We recommend that the campus: a. Adequately secure the cited network wiring rooms. b. Evaluate and, if necessary, adequately secure all other network wiring rooms. Campus Response We concur. a. The campus will adequately secure the cited network wiring rooms. b. The campus will evaluate, and if necessary, adequately secure other network wiring rooms. Expected completion date: October 2012 FIRE PROTECTION AND ENVIRONMENTAL CONTROLS Information technology (IT) personnel who worked in and near the data center had not been trained in the operation of the center s Halon fire suppression system. State Administrative Manual (SAM) 5355.1 states that disaster recovery plans and other IT procedures should be developed to ensure that critical services and applications are restored as quickly as possible and with minimal loss of data. The CIO stated that the data center environmental systems were maintained and supported by trained facilities personnel. Page 8

OBSERVATIONS, RECOMMENDATIONS, AND CAMPUS RESPONSES Failure to train personnel on the data center emergency systems could lead to misunderstanding and confusion in the event of a disaster or emergency. Recommendation 3 We recommend that the campus train IT personnel who work in and near the data center in the operation of the center s Halon fire suppression system. Campus Response We concur. The campus has made a conscious decision to continue operations as currently practiced. The IT staff will leave the area in the event of the Halon fire suppression system triggering, leaving the operation of the system to qualified physical plant staff. Expected completion date: Completed EMERGENCY PREPARDNESS AND TRAINING The campus did not have documented data center emergency procedures, and disaster instructions were not posted prominently throughout the data center or on the employee bulletin board. SAM 5355.1 states that disaster recovery plans and other IT procedures should be developed to ensure that critical services and applications are restored as quickly as possible and with minimal loss of data. The CIO stated that the data center is normally unattended, and he was unaware of the requirement to post emergency and disaster instructions throughout the center. Failure to document emergency and disaster instructions and post them prominently could lead to misunderstanding and confusion in the event of a disaster or emergency. Recommendation 4 We recommend that the campus document data center emergency procedures and post them prominently throughout the data center and on the employee bulletin board. Campus Response We concur. The campus will document data center emergency procedures and post them prominently throughout the data center and on the employee bulletin board. Expected completion date: October 2012 Page 9

APPENDIX A: PERSONNEL CONTACTED Name Willie Hagan Mildred Garcia Mahabub Alam Ron Bergmann Ed Laio Danny Lujan Mary Ann Rodriquez Jonathan Scheffler Karen Wall Muneca Williams Title Interim President (Currently) President (At time of review) Network Specialist, Campus Backbone Network Associate Vice President and Chief Information Officer, Information Technology (IT) Network Analyst Director of Infrastructure Vice President, Administration and Finance Associate Director, Physical Plant Associate Vice President, Administration and Finance IT Administrative Support Assistant

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback