Presentation is loading. Please wait.

Presentation is loading. Please wait.

Audit Considerations of Data Center Consolidation Jon Ingram Audit Manager Information Technology Audits Florida Auditor General 1.

Published byEthan Rice Modified over 9 years ago

Similar presentations

Presentation on theme: "Audit Considerations of Data Center Consolidation Jon Ingram Audit Manager Information Technology Audits Florida Auditor General 1."— Presentation transcript:

1 Audit Considerations of Data Center Consolidation Jon Ingram Audit Manager Information Technology Audits Florida Auditor General 1

2 Florida’s Data Center Consolidation Agency IT systems being transferred to three primary data centers (PDCs) – “as is.” Transition of custodial responsibilities for IT equipment. Standardization of IT services and infrastructure to occur later. Agencies can use more than one PDC – and some do. Agencies keep most application support functions. PDCs and customers required by law to negotiate service level agreements. Audit impact – need for clear auditor understanding of division of PDC and customer responsibilities. 2

3 Primary Data Center Audits Some IT controls that are now the responsibility of the PDC are relevant to multiple customers. Efficiencies have been gained by auditing the PDCs vs. just auditing as part of audits of customer systems. Audits of PDCs to be done on periodic cycle. 3

4 Considerations for Audits of Customer Systems Determine which PDC(s) the customer is using. Understand the division of responsibilities between the PDC and the customer for the controls relevant to your audit objectives. Determine if the PDC has been recently audited and if the controls tested in the PDC audit are relevant to your audit objectives for the customer system. Determine if a service level agreement exists between the auditee and the PDC. 4

5 Service Level Agreements (SLAs) Florida law requires the PDCs and their customers to execute SLAs. SLA governs the relationship between the PDC and the customer. SLA should define the roles, responsibilities, and expectations of both parties. SLA should define the IT services to be provided by the PDC. SLA is a responsibility of both parties - the PDC and the customer. 5

6 Service Level Agreements (SLAs) Audit Considerations SLA is a good source of information on services to be provided by the PDC and the responsibilities of the customer. Lack of SLA is a potential compliance issue for both parties and could be relevant in audits of both parties. If no SLA, more difficult for auditor to determine what IT services and other expectations have been agreed upon by both parties. Lacking or poorly written SLA may increase risk that significant responsibilities are not met. 6

7 Information Security – Both PDC & Customer Are Responsible Data custodian now organizationally separate from data owner. Customer reliant on PDC for certain aspects of information security. Customer retains responsibility for other aspects of information security. 7

8 Information Security Audit Considerations Have customer security requirements and expectations been clearly communicated and agreed upon in writing? Likewise for PDC security requirements and expectations? Do customer and PDC security risk assessments and security plans appropriately address the division of responsibilities? 8

9 Logical Access Controls PDC may act as access administrator for the customer. For example, mainframe-level access privileges or rules in packages such as RACF or ACF2. 9

10 Logical Access Controls Audit Considerations Does an appropriate process exist for notifying PDC of changes in access requirements, especially terminations? Does PDC provide the customer appropriate reports for reviews of access? From whom should auditor request records of access privileges – the customer or the PDC? Possible impact on separation of duties and appropriateness of access? 10

11 Physical Access Controls at PDC During transition, some customers still own and retain responsibilities for operating and maintaining their IT equipment. Customer employees are granted access to PDC facilities. 11

12 Physical Access Controls Audit Considerations Is there a process for customer to authorize who can access their IT equipment being housed at the PDC? Does customer review physical access listing on regular basis? Does an appropriate process exist for removing physical access of former or reassigned customer employees? Is access to IT equipment of other customers appropriately restricted? 12

13 Network Controls Division of network responsibilities between PDC and customer. Each responsible for their own network infrastructure. Division of responsibilities may differ depending on nature of application infrastructure and services provided by PDC to the customer you are auditing. Audit consideration - where is the point of demarcation? 13

14 Change Controls Application change control staying with customers. Audit consideration – what is the division of responsibilities between customer and PDC for non-application change management? For example, what about IT infrastructure configuration management? 14

15 Disaster Recovery Audit Considerations Has customer ensured that the SLA sufficiently addresses disaster recovery services to be provided by the PDC? If not explicitly defined in the SLA, is customer in a position to rely on PDC for needed backup and recovery services? 15

16 Cost Allocation and Billing Audit Considerations Is there an agreed-upon methodology? Is it consistent, equitable, and documented? Does it adequately cover the PDC’s near-term cost? How are long-term PDC capital requirements addressed? Does it accommodate external cost reporting requirements of customers (e.g., Federal cost allocation requirements)? 16

17 Future Audit Considerations Revisit audit procedures as full service transfer is completed. Impact on customers of PDC movement toward standardized services and infrastructure. Capacity planning of PDCs. – Floor space. – Power. – Environmental controls (e.g., cooling). 17

18 Questions? 18

Download ppt "Audit Considerations of Data Center Consolidation Jon Ingram Audit Manager Information Technology Audits Florida Auditor General 1."

Similar presentations

EMS Checklist (ISO model)

EMS Checklist (ISO model)
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
ORGANIZATION. 2 Problem scenario  Develop an organizational chart for your laboratory showing lines of authority from the head of the organization to.

ORGANIZATION. 2 Problem scenario  Develop an organizational chart for your laboratory showing lines of authority from the head of the organization to.
Information Systems Audit Program (cont.). PHYSICAL SECURITY CONTROLS.

Information Systems Audit Program (cont.). PHYSICAL SECURITY CONTROLS.
Department of Transportation Support Services Branch ODOT Procurement Office Intergovernmental Agreements 455 Airport Rd. SE, Bldg K Salem, OR 97301-5348.

Department of Transportation Support Services Branch ODOT Procurement Office Intergovernmental Agreements 455 Airport Rd. SE, Bldg K Salem, OR
Management of IT Environment (5) LS 2012/2013 1 Martin Sarnovský Department of Cybernetics and AI, FEI TU Košice ITIL:Service Design IT Services Management.

Management of IT Environment (5) LS 2012/ Martin Sarnovský Department of Cybernetics and AI, FEI TU Košice ITIL:Service Design IT Services Management.
1 Outsourcing Contract and Service Level Issues Sharon O’Bryan Week 5 November 2, 2004.

1 Outsourcing Contract and Service Level Issues Sharon O’Bryan Week 5 November 2, 2004.
Service Design / SLA Architecture “Services are a means of delivering value to customers by facilitating outcomes customers want to achieve without the.

Service Design / SLA Architecture “Services are a means of delivering value to customers by facilitating outcomes customers want to achieve without the.
MODULE 8 MONITORING INDIANA HPRP Training 1. Role of Independent Financial Monitors 2 IHCDA is retaining an independent accounting firm to monitor its.

MODULE 8 MONITORING INDIANA HPRP Training 1. Role of Independent Financial Monitors 2 IHCDA is retaining an independent accounting firm to monitor its.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
OMB Circular A-123 – Management’s Responsibility for Internal Control Policy Applicability Sources of Information Assessment, Documentation and Reporting.

OMB Circular A-123 – Management’s Responsibility for Internal Control Policy Applicability Sources of Information Assessment, Documentation and Reporting.
Sarbanes-Oxley Compliance Process Automation

Sarbanes-Oxley Compliance Process Automation
EMS Auditing Definitions

EMS Auditing Definitions
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
IS Audit Function Knowledge

IS Audit Function Knowledge
Date: 03/05/2007 Vendor Management and Metrics. 2 A.T. Kearney X/mm.yyyy/00000 AT Kearney’s IT/Telecom Vendor Facts IT/Telecom service, software and equipment.

Date: 03/05/2007 Vendor Management and Metrics. 2 A.T. Kearney X/mm.yyyy/00000 AT Kearney’s IT/Telecom Vendor Facts IT/Telecom service, software and equipment.
Pertemuan 20 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan 20 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Pertemuan 11-12 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Office of Inspector General (OIG) Internal Audit

Office of Inspector General (OIG) Internal Audit
NIST framework vs TENACE Protect Function (Sestriere, 21-23 Gennaio 2015)

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)

Similar presentations

Ads by Google