ASSURING BUSINESS CONTINUITY THROUGH CONTROLLED DATA CENTER IT Audit, Information Security & Risk Insight Africa 2014 Johnson Falana CISA,MIT,CEH,Cobit5 proverb814@yahoo.com
Overview Information technology (IT) processing facilities, usually referred to as data centers, are at the core of most modern organizations' operations, supporting almost all critical business activities. Ideally, data centers should be embedded with the following before a reliable business continuity could be achieved: Physical access control infrastructure Environmental controls Power and network connectivity Fire suppression systems Alarm systems
Outline Background Data Center & New Definition Need for Business Continuity Major Data Center Threats Auditor s Roles Data Center Auditing Essentials
Background Ever since the first general purpose electronic computer (the Electronic Numerical Integrator and Computer, or ENIAC) was created in 1946, computer systems have had specific environmental, power, and physical security requirements. Beginning in the late 1950s, as mainframe computers became more widely available, data centers were created for the express purpose of meeting these requirements. Now, most organizations have their own data centers or co-locate their systems in a shared facility. Mainframe computer - IBM 4
Data Center new A Data Center is where the necessary infrastructure such as computer hardware, security measures, temperature & humidity control and support engineers must all be in place before the servers and their connectivity can be made available for company use.? old A data center is a facility that is designed to house an organization s critical systems, which comprise computer hardware, operating systems, and applications. Difference Dedicated data center must be reliable providing uptime in excess of 99.999% 2012 Skybox Security 5
Data Center More correct new A Data Center is where the necessary infrastructure such as computer hardware, security measures, temperature & humidity control and support engineers must all be in place before the servers and their connectivity can be made available for company use. CONTROL old A data center is a facility that is designed to house an organization s critical systems, which comprise computer hardware, operating systems, and applications. correct Difference It has been estimated that there are approximately 75,000 major data centres in the United States alone, housing corporate, governmental and military operations; globally, the number of data centres likely extends into the hundreds of thousands 6
Need for Business Continuity Data centres have evolved into mission-critical facilities requiring business continuity on a 242365 basis. There was a time when temporary business interruptions were a minor and relatively inexpensive inconvenience to the operation of IT and telecommunication facilities. However, with modern society s reliance on the interconnected global IT infrastructure for much of what we consider everyday life, the loss of IT/telecommunications service can have a dramatic effect that extends well beyond the affected business, negatively impacting clients, suppliers, whole industries, and society at large. Modern data centres and telecommunications facilities house a vast array of expensive and sensitive electronic devices connected together and configured to analyze, collect, distribute, manage and store information. They are vital to business continuity and their protection needs careful thought.
Major Data Center Threats Natural such as weather events, flooding, earthquakes, and fire Manmade such as terrorist incidents, riots, theft, and sabotage, Threats Environmental hazards such as extreme temperatures and humidity Loss of utilities such as electrical power and telecommunications A threat is a possible danger that might exploit a vulnerability to breach security and thus cause possible harm. It can be intentional or accidental.. 8
Data Center Fire
Auditor s Roles Disaster Preparedness The auditor's job is to identify and measure physical and administrative controls at the facility that mitigate the risk of data-processing disruptions, including the following: System resiliency Data backup and restore Disaster recovery planning
Data Center Auditing Essentials Test steps for auditing data centers. The following areas should be addressed during the data center audit: Neighborhood and external risk factors Physical access controls Environmental controls Power and electricity Fire suppression Data center operations System resiliency Data backup and restore Disaster recovery planning
Detailed steps 1. Review Data Center Exterior Lighting, Building Orientation, Signage, Fences, and Neighborhood Characteristics to Identify Facility Related Risks. 2. Research the Data Center Location for Environmental Hazards and to Determine the Distance to Emergency Services. 3. Review Data Center Doors and Walls to Determine Whether They Protect the Facilities Adequately. 4. Evaluate Physical Authentication Devices to Determine Whether They are Appropriate and are Working Properly. 5. Ensure that Physical Access Control Procedures are Comprehensive and Being Followed by Data Center and Security Staff.
Detailed steps 6. Ensure that Burglar Alarms and Surveillance Systems are Protecting the Data Center from Physical Intrusion. 7. Review Security Guard Building Round Logs and Other Documentation to Evaluate the Effectiveness of the Security Personnel Function. 8. Verify that HVAC Systems Maintain Constant Temperatures within the Data Center. 9. Ensure that a Water Alarm System is Configured to Detect Water in High- Risk Areas of the Data Center. 10. Determine Whether the Data Center Has Redundant Power Feeds.
Detailed steps 11. Verify that Ground-to-Earth Exists to Protect Computer Systems. 12. Ensure that Power is Conditioned to Prevent Data Loss. 13. Verify that Battery Backup Systems are Providing Continuous Power During Momentary Black-Outs and Brown-Outs. 14. Ensure that Generators Protect Against Prolonged Power Loss and are in Good Working Condition. 15. Ensure that Data Center Building Construction Incorporates Appropriate Fire Suppression Features.
Detailed steps 16. Ensure that Data Center Personnel are Trained Properly to Perform Their Job Functions. 17. Ensure that Data Center Capacity is Planned to Avoid Unnecessary Outages. 18. Verify that Procedures are Present to Ensure Secure Storage and Disposal of Electronic Media 19. Verify that Systems Can Be Restored from Backup Media 20. Ensure that Backup Media Can Be Retrieved Promptly from Off-Site Storage Facilities. 21. Ensure that a Disaster Recovery Plan (DRP) Exists and is Comprehensive and that Key Employees are Aware of Their Roles in the Event of a Disaster.
Thank You
Questions?