ASSURING BUSINESS CONTINUITY THROUGH CONTROLLED DATA CENTER

Similar documents
Information Technology Disaster Recovery Planning Audit Redacted Public Report

Introduction to Business continuity Planning

U.S. Department of Health and Human Services (HHS) The Office of the National Coordinator for Health Information Technology (ONC)

SECURITY & PRIVACY DOCUMENTATION

3.3 Understanding Disk Fault Tolerance Windows May 15th, 2007

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Business Continuity: How to Keep City Departments in Business after a Disaster

IT Service Delivery And Support Week Eight - Data Center

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

EPRO. Electric Infrastructure Protection Initiative EPRO BLACK SKY SYSTEMS ENGINEERING PROCESS

Physical and Environmental Security Policy Document Number: OIL-IS-POL-PES

Continuity of Business

In this unit we are going to review a set of computer protection measures also known as countermeasures.

Applications/Data To Include in Survey (include applications that meet one or more of the following criteria)

BUSINESS CONTINUITY MANAGEMENT PROGRAM OVERVIEW

Physical and Environmental Security Standards

Management Information Systems. B15. Managing Information Resources and IT Security

The Common Controls Framework BY ADOBE

STRATEGY ATIONAL. National Strategy. for Critical Infrastructure. Government

Memorandum APPENDIX 2. April 3, Audit Committee

EXHIBIT A. - HIPAA Security Assessment Template -

Business Continuity Planning Keeping Pace with New Technology

Leveraging ITIL to improve Business Continuity and Availability. itsmf Conference 2009

Business Continuity Management Program Overview

RFP Annex A Terms of Reference UNHCR HQ Data Centre Colocation Service

Keys to a more secure data environment

Standard: Data Center Security

Trust Services Principles and Criteria

Audit & Advisory Services. IT Disaster Recovery Audit 2015 Report Date January 28, 2015

Presented by Joe Burns Kentucky Rural Water Association July 19, 2005

Physical Security. Introduction. Brian LeBlanc

TUFTS HEALTH PLAN CORPORATE CONTINUITY STRATEGY

A Practical Guide to Avoiding Disasters in Mission-Critical Facilities. What is a Disaster? Associated Business Issues.

Hazard Management Cayman Islands

Appendix 3 Disaster Recovery Plan

Information Services IT Security Policies L. Network Management

Disaster Recovery Committee. Learning Resource Center Specialist

Security Guideline for the Electricity Sector: Business Processes and Operations Continuity

L E C T U R E N O T E S : C O N T R O L T Y P E S A N D R I S K C A L C U L A T I O N

Community-Based Water Resiliency

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

Principles of Information Security, Fourth Edition. Chapter 1 Introduction to Information Security

Projectplace: A Secure Project Collaboration Solution

Policy and Procedure: SDM Guidance for HIPAA Business Associates

INFORMATION TECHNOLOGY ( IT ) GOVERNANCE FRAMEWORK

IT your way - Hybrid IT FAQs

Aljex Software, Inc. Business Continuity & Disaster Recovery Plan. Last Updated: 1/30/2017.

The J100 RAMCAP Method

Information Technology General Control Review

CTS performs nightly backups of the Church360 production databases and retains these backups for one month.

How AlienVault ICS SIEM Supports Compliance with CFATS

NERCPI Regional Cyber Disruption Planning.

Module 4 STORAGE NETWORK BACKUP & RECOVERY

April Appendix 3. IA System Security. Sida 1 (8)

Dude Solutions Business Continuity Overview

DISASTER PREPAREDNESS IN THE COUNTY: IMPROVEMENTS NEEDED

DATA CENTER OPERATIONS CALIFORNIA STATE UNIVERSITY, DOMINGUEZ HILLS. Audit Report June 15, 2012

HOTEL RESILIENT Plan ahead stay ahead. With support from the German Government through

emarketeer Information Security Policy

HIPAA RISK ADVISOR SAMPLE REPORT

Disaster Recovery and Business Continuity

Certified Information Systems Auditor (CISA)

Network Performance, Security and Reliability Assessment

How Industrial PoE Switches Facilitate Reliable Outdoor IP Surveillance Networks. Jackey Hsueh Product Manager

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 13 Business Continuity

Keys To Disaster Preparedness

Infrastructure Security Overview

Table of Contents. Sample

All-Hazards Approach to Water Sector Security & Preparedness ANSI-HSSP Arlington, VA November 9, 2011

Data Centers & Technology:

IXcellerate Moscow One Datacentre - Phase 1 & 2 Overview

Data Center Operations Guide

CANVAS DISASTER RECOVERY PLAN AND PROCEDURES

Critical Infrastructure

Demand The Best. A guide to help select an Offsite Information Management Company

INTELLIGENCE DRIVEN GRC FOR SECURITY

What can the OnBase Cloud do for you? lbmctech.com

Awareness Technologies Systems Security. PHONE: (888)

www. continuitymauritius.com Continuitymauritius

Cloud-Based Data Security

TB+ 1.5 Billion+ The OnBase Cloud by Hyland 600,000,000+ content stored. pages stored

Corporate Security & Emergency Management Summary of Submitted 2015 Budget From Rates

Checklist: Credit Union Information Security and Privacy Policies

Why the Threat of Downtime Should Be Keeping You Up at Night

IBM Security Intelligence on Cloud

DISASTER RESPONSE & RECOVERY PLANNING. Information Technology Services

Power Audit & Thermography Test

Airport Security & Safety Thales, Your Trusted Hub Partner

CLOUD COMPUTING READINESS CHECKLIST

Infocomm Professional Development Forum 2011

BUSINESS CONTINUITY. Topics covered in this checklist include: General Planning

Critical Information Infrastructure Protection Law

Business Continuity Planning. PDI January 14 th, 2018

The Office of Infrastructure Protection

Nine Steps to Smart Security for Small Businesses

Chapter X Security Performance Metrics

Combating Cyber Risk in the Supply Chain

Power Outages and the Hosted VOIP Option

Disaster Recovery Plan. Serving Community Care College Clary Sage College Oklahoma Technical College

WHITE PAPER BCDR: 4 CRITICAL QUESTIONS FOR YOUR COMMUNICATIONS PROVIDER

Transcription:

ASSURING BUSINESS CONTINUITY THROUGH CONTROLLED DATA CENTER IT Audit, Information Security & Risk Insight Africa 2014 Johnson Falana CISA,MIT,CEH,Cobit5 proverb814@yahoo.com

Overview Information technology (IT) processing facilities, usually referred to as data centers, are at the core of most modern organizations' operations, supporting almost all critical business activities. Ideally, data centers should be embedded with the following before a reliable business continuity could be achieved: Physical access control infrastructure Environmental controls Power and network connectivity Fire suppression systems Alarm systems

Outline Background Data Center & New Definition Need for Business Continuity Major Data Center Threats Auditor s Roles Data Center Auditing Essentials

Background Ever since the first general purpose electronic computer (the Electronic Numerical Integrator and Computer, or ENIAC) was created in 1946, computer systems have had specific environmental, power, and physical security requirements. Beginning in the late 1950s, as mainframe computers became more widely available, data centers were created for the express purpose of meeting these requirements. Now, most organizations have their own data centers or co-locate their systems in a shared facility. Mainframe computer - IBM 4

Data Center new A Data Center is where the necessary infrastructure such as computer hardware, security measures, temperature & humidity control and support engineers must all be in place before the servers and their connectivity can be made available for company use.? old A data center is a facility that is designed to house an organization s critical systems, which comprise computer hardware, operating systems, and applications. Difference Dedicated data center must be reliable providing uptime in excess of 99.999% 2012 Skybox Security 5

Data Center More correct new A Data Center is where the necessary infrastructure such as computer hardware, security measures, temperature & humidity control and support engineers must all be in place before the servers and their connectivity can be made available for company use. CONTROL old A data center is a facility that is designed to house an organization s critical systems, which comprise computer hardware, operating systems, and applications. correct Difference It has been estimated that there are approximately 75,000 major data centres in the United States alone, housing corporate, governmental and military operations; globally, the number of data centres likely extends into the hundreds of thousands 6

Need for Business Continuity Data centres have evolved into mission-critical facilities requiring business continuity on a 242365 basis. There was a time when temporary business interruptions were a minor and relatively inexpensive inconvenience to the operation of IT and telecommunication facilities. However, with modern society s reliance on the interconnected global IT infrastructure for much of what we consider everyday life, the loss of IT/telecommunications service can have a dramatic effect that extends well beyond the affected business, negatively impacting clients, suppliers, whole industries, and society at large. Modern data centres and telecommunications facilities house a vast array of expensive and sensitive electronic devices connected together and configured to analyze, collect, distribute, manage and store information. They are vital to business continuity and their protection needs careful thought.

Major Data Center Threats Natural such as weather events, flooding, earthquakes, and fire Manmade such as terrorist incidents, riots, theft, and sabotage, Threats Environmental hazards such as extreme temperatures and humidity Loss of utilities such as electrical power and telecommunications A threat is a possible danger that might exploit a vulnerability to breach security and thus cause possible harm. It can be intentional or accidental.. 8

Data Center Fire

Auditor s Roles Disaster Preparedness The auditor's job is to identify and measure physical and administrative controls at the facility that mitigate the risk of data-processing disruptions, including the following: System resiliency Data backup and restore Disaster recovery planning

Data Center Auditing Essentials Test steps for auditing data centers. The following areas should be addressed during the data center audit: Neighborhood and external risk factors Physical access controls Environmental controls Power and electricity Fire suppression Data center operations System resiliency Data backup and restore Disaster recovery planning

Detailed steps 1. Review Data Center Exterior Lighting, Building Orientation, Signage, Fences, and Neighborhood Characteristics to Identify Facility Related Risks. 2. Research the Data Center Location for Environmental Hazards and to Determine the Distance to Emergency Services. 3. Review Data Center Doors and Walls to Determine Whether They Protect the Facilities Adequately. 4. Evaluate Physical Authentication Devices to Determine Whether They are Appropriate and are Working Properly. 5. Ensure that Physical Access Control Procedures are Comprehensive and Being Followed by Data Center and Security Staff.

Detailed steps 6. Ensure that Burglar Alarms and Surveillance Systems are Protecting the Data Center from Physical Intrusion. 7. Review Security Guard Building Round Logs and Other Documentation to Evaluate the Effectiveness of the Security Personnel Function. 8. Verify that HVAC Systems Maintain Constant Temperatures within the Data Center. 9. Ensure that a Water Alarm System is Configured to Detect Water in High- Risk Areas of the Data Center. 10. Determine Whether the Data Center Has Redundant Power Feeds.

Detailed steps 11. Verify that Ground-to-Earth Exists to Protect Computer Systems. 12. Ensure that Power is Conditioned to Prevent Data Loss. 13. Verify that Battery Backup Systems are Providing Continuous Power During Momentary Black-Outs and Brown-Outs. 14. Ensure that Generators Protect Against Prolonged Power Loss and are in Good Working Condition. 15. Ensure that Data Center Building Construction Incorporates Appropriate Fire Suppression Features.

Detailed steps 16. Ensure that Data Center Personnel are Trained Properly to Perform Their Job Functions. 17. Ensure that Data Center Capacity is Planned to Avoid Unnecessary Outages. 18. Verify that Procedures are Present to Ensure Secure Storage and Disposal of Electronic Media 19. Verify that Systems Can Be Restored from Backup Media 20. Ensure that Backup Media Can Be Retrieved Promptly from Off-Site Storage Facilities. 21. Ensure that a Disaster Recovery Plan (DRP) Exists and is Comprehensive and that Key Employees are Aware of Their Roles in the Event of a Disaster.

Thank You

Questions?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback