The Data Center is an integral and essential part of an organization’s IT infrastructure because the Data Center houses all IT infrastructures and support equipment. To ensure the safety, effectiveness, and efficiency of a Data Center, periodic security assessment or auditing of physical IT hardware, peripheral and security equipment, and supporting gear such as power and cooling is required.
The internal audit team or department with assurance or oversight responsibilities is accountable for doing a Data Center audit as needed. The scope of the data center audit should reasonably cover all business aspects such as Data Center Operations, infrastructures, management, and human capacity. It should be part of the audit work program for the Data Center.
The primary purpose of data center audits is to evaluate the adequacy, effectiveness, and efficiency of the controls in place to minimize risks such as unauthorized access to the data center, business interruptions, theft of information assets, security, emergency, and environmental hazards.
Below, you can find the audit checklist that can be used to perform an IT Data Center audit successfully. The data center audit checklist controls outlined here are general core controls that can be adopted and used in the context of organizations’ operating environments, regulatory policies, and applicable laws. Still, it should be noted that they may also have additional controls.
Data Center Audit Scope
Datacenter operations generally include access to an information processing facility or data center, visitor restriction, asset protection, information processing facility identification, offsite storage facility access, policies and procedures, personnel, incident management, security and emergency procedures (fire and flood hazard), environmental control (temperature and humidity) monitoring, power system adequacy and redundancy checks.
However, data center infrastructure assessment requires special attention to the following areas:
- Datacenter operating policies and procedures.
- Physical security controls.
- Environmental controls.
- Incident management.
- Infrastructure maintenance
- Cabling, rack, and telecommunications management.
- Service monitoring and availability management.
- Business continuity management.
- Disaster recovery planning
- Power supply adequacy and redundancy
- Security and emergency procedures
Data Center Audit Checklist
Data Center Human and Process Management
- Obtain the Data Center organizational chart with organizational structure and job descriptions.
- Confirm that each staff member has documented job descriptions.
- Interview all personnel in the data center and identify the processes and procedures required to perform their job functions.
- Identify risks associated with processes and confirm the adequacy of controls to minimize risk.
- Data Center Organization and Management
- Is there a standard data center operating policy and guidance?
- Have the data center operating policy and guidance been approved by senior management?
- Is the operating policy descriptive enough to guide the management and operation of the data center?
- Are the data center operators aware of the existence of the user manual?
- Is there a mechanism for reviewing the operating manual regularly to reflect changes and improvements in data center operations and to verify that best practices are followed?
- Maintain an operator logbook to capture critical events and corrective actions in the data center.
- Confirm that each duty shift in the data center has a handover report written on the completion of their shift on activities performed and key issues to assist with smooth takeover until the next shift.
- Confirm that the registry or portal is frequently reviewed by management.
- Keep track of End of Day (EOD) or End of Month (EOM) events and processes to prevent system breaches, suppression of malicious acts, or service failures.
- Confirm that EOD/EOM activities and processes are regularly reviewed to ensure no service issues or malicious acts are overlooked.
- Confirm that incidents recorded during EOD/EOM processing are promptly forwarded to relevant administrative persons for resolution.
Data Center Capacity Utilization
- Implement capacity management and planning measures.
- Ensure that resource monitoring software is installed to monitor the capacity usage of resources on all relevant servers, especially critical systems and applications.
- Review system resource usage reports and identify times of peak resource demand during the processing day.
- Confirm that IT management receives feedback on system capacity usage reports to plan future server or application acquisition as part of their strategic function.
- Determine whether the capacity planning performed, such as processor, memory, or disk, is consistent with and integrated into long-term strategic plans.
Data Center Performance Management
- Implement performance measurement and monitoring systems.
- Determine if performance measurement process services and infrastructure are in place.
- Determine if the system outage is recorded or monitored.
- Confirm that alerts and notifications are set to follow agreed resource thresholds so that systems trigger or alert Operators when set points are violated or exceeded.
- Verify that system downtime or outage is being actively monitored to prevent service failure.
- Data Center Backup Environment and Management
- Implement adequate controls to ensure accountability and protection of backup media produced at the main site and their transfer and retrieval to the offsite storage facility.
- Confirm that all tapes sent to the offsite storage facility are appropriately documented and authorized before transfer.
- Confirm that the method of transferring tapes to the offsite storage facility is secure and adequately protected against theft or danger.
- Examine the box or case and the tape transfer process to ensure the safety of the tapes.
- Verify that tapes and other media are encrypted to prevent them from being accessed or compromised in the event of theft or loss.
- Verify that the default encryption code has been changed and is not used to encrypt tape drives during backup.
- Are all visitors to the offsite facility required to sign a logbook stating their name, the reason for visit, time and date, or record their presence?
- Our recovery processes of storage media (tape and hard drives) are documented and adequately controlled to ensure that the correct tapes are retrieved, and appropriate entitlements are available?
- Is storage media (tapes and hard drives) correctly indexed and labeled to facilitate easy storage and retrieval?
Data Center Environmental Control and Monitoring Systems
- Ensure that data center operators and other personnel on-site are adequately trained on how to respond in the event of a fire.
- Are the data center operators adequately trained to do different fire emergencies or security breaches occur?
- Are other personnel in the facility sufficiently responsive to what to do when fire emergencies occur?
- Verify that authorized persons are assigned to critical areas of the facility and are adequately equipped with essential tools to coordinate emergency evacuation activities.
- Ensure that frequent fire drills are conducted to create the necessary awareness of all employees to respond adequately to emergency or fire incidents.
- Install fire equipment and other emergency controls and ensure it is adequately maintained and tested to respond to any fire exits.
- Are fire alarm pull boxes and emergency power switches visible, marked and unobstructed?
- Are there clear and adequate fire instructions at all locations in and around the data center?
- Ensure the emergency phone numbers for fire officials are prominently placed around the facility for easy access and usage in the case of a fire.
- Are smoke and heat detectors periodically tested to determine operating conditions and their ability to detect the presence of fire or smoke when needed?
- Are smoke detectors strategically placed under raised floors and on the data center ceiling to easily detect smoke or fire?
- Are there enough fire alarm pull boxes in and around the data center?
- Are operators given individual responsibilities in case of fire?
- Are operators trained on firefighting periodically?
- How often are fire drills held?
- Are FM200 fire extinguishers installed in the data center for fire fighting?
- Are FM200 extinguishers maintained and serviced by their service lifecycle?
- Is firefighting equipment periodically tested to determine its operational status and ability to respond to a disaster in an emergency?
- Are there flammable materials in and around the data center area?
- Flammable materials should not be kept around the data center as they are fire-inducing and can help the fire spread.
- Implement controls to adequately prevent floods and other disasters from affecting the data center.
- Is the data center built on a raised floor?
- Are the materials used for the raised floor or floor of the data center non-combustible or non-conducive to the fire spread?
- Are there water lines or pipes running through or near the data center area to prevent flooding?
- Is there an environmental monitoring and control system (EMCS) installed in the data center to ensure that the data center’s temperature and humidity levels are managed and monitored?
- Is the data center environmental monitoring and control system (EMCS) periodically tested?
- Are the EMCS configurations adequate to ensure that triggers or alerts are sent to the appropriate individuals when temperature and humidity conditions within the data center fall or rise above acceptable limits or thresholds?
- Implement a main wiring and cabling system in and around the data center to prevent physical damage.
- Check to make sure electrical power cords and cables around the data center are well organized in enclosures to prevent physical damage.
- Does the data center have a redundant cooling system?
- Is there a UPS system to back up the data center electricity?
- What is the backup capacity of the UPS System?
- When was the UPS system last tested?
- Make sure there are no exposed power cords to avoid electrical shock to personnel.
- Protect signal and data cables in PVC housings to prevent signal dropout or malicious eavesdropping.
- Inspect all signal and data cables on servers and network devices to ensure they are not subject to interference or touch.
Data Center Physical Access Controls
- Implement a biometric or smart card access control device to restrict access to the data center.
- Confirm a procedure to grant users access to the data center and set up the authorization process.
- Do all personnel enter the data center enter from an entry point controlled by a biometric or smart card access control device that the Data Center Manager monitors?
- Ensure there is a procedure for reviewing biometric or smart card activity logs.
- Confirm that log reviews are performed by the Data Center Administrator or an authorized person.
- Do biometric or smart card devices restrict access based on an individual’s unique access credentials?
- Do biometric or smart card devices restrict access to designated doors for users or at a particular time of day?
- Are biometric or smart card access methods challenging to replicate or compromise?
- Are there procedures for disabling user access if biometric or smart card devices leave the organization?
- Do access devices such as biometrics or smart cards automatically generate a silent or audible alarm when attempting unauthorized access?
- Do biometric or smart card devices automatically record and report successful data center access and failed attempts?
- Is it a carefully controlled administrative process of the smart card or biometric card’s issuance, accounting, and recovery?
- Request smart cards of users leaving the organization.
- Confirm that access logs of biometric or smart card devices are received and retained for a reasonable period.
- Verify that logs are backed up to external media to be retained for research purposes as needed.
- Are there video cameras monitored by security personnel at strategic points in the data center?
- Is video surveillance recorded for possible future checks?
- Is there an alarm system connected to inactive entry points to the data center?
- Are employees and visitors required to wear a photo ID or ID card?
- Monitor and restrict visitors’ access to the data center.
- Do all visitors have to sign a visitor diary stating their name, companies represented, reasons for visiting, and people to see before accessing the data center?
- Do visitors need to provide a method to authenticate before gaining access?
- Do visitors need to wear a different color ID card than the employee badge for easy identification?
- Is it necessary for guests to be accompanied by a responsible employee?
- Our personnel with special service contracts, such as cleaning personnel, monitored during the performance of their duties?
Data Center Inventory Management
- Is an inventory of the assets in the data center maintained?
- Is the inventory of assets in the data center up-to-date?
- Is the asset inventory in the data center reviewed?
- Are all assets in the data center adequately labeled?
- Does the vendor have contact information for the relevant systems in the data center in an emergency?
Data Center Incident Management Controls
- Does the Data Center have an Incident Management policy?
- What methodologies are adopted for Incident Management?
- Have management roles and processes been developed to guarantee that information security events are handled quickly, effectively, and orderly?
- Have roles and responsibilities been defined for incident management?
- Are incidents documented and reported?
- Is root cause analysis performed to prevent incidents from occurring?
- Are emergency plans in place?
Data Center Disaster Recovery and Business Continuity Management
- Do you have a disaster recovery plan?
- Are all processes documented in the case of Disaster Recovery?
- Does the Disaster Recovery policy specify roles and responsibilities for planning, testing, oversight management, and accountability?
- How often is the Disaster Recovery site tested?
- Are disaster recovery test reports approved by the relevant administrator?