Slide 1ObjectivesOverviewFour Key AreasOrganizational ControlsData files and Program ControlsRecoverability and Environmental ControlsPhysical Security ControlsEnvironmental ControlsAn ExampleCoBiTData Center ReviewsDate Center Key Areas:Auditing the Call CenterClass DiscussionM B A D 7 0 9 0Chapter 14: Operational Control IssuesFall, 20081IS Security, Audit, and Control (Dr. Zhao)ObjectivesFall, 2008IS Security, Audit, and Control (Dr. Zhao)2Understand the concept of general operational controlsFour key areasTwo examplesOverviewFall, 2008IS Security, Audit, and Control (Dr. Zhao)3Operational or general controls are those controls are related to the climate/environment, and the global functionality.Not application specificInformation Technology and Systems are complex and one general control weakness can have a domino like impact to the rest of the infrastructure.Four Key AreasFall, 2008IS Security, Audit, and Control (Dr. Zhao)4Organizational controlsData files and program controlsRecoverability (backup, restart, disaster recovery) and environmental controlsPhysical security and access controlsOrganizational ControlsFall, 2008IS Security, Audit, and Control (Dr. Zhao)5StandardsPoliciesProceduresNot to do:Lack of useOnly prepared for experienced staffsTo do:Be tested periodicallyMaintain logs of unusual eventsData files and Program ControlsFall, 2008IS Security, Audit, and Control (Dr. Zhao)6File label:Clear and updatedBoth volume and contentLibrary functionAn inventory recordA procedure: who should be able to access whatSegregate custodial duties from operation dutiesRecoverability and Environmental ControlsFall, 2008IS Security, Audit, and Control (Dr. Zhao)7RecoverabilityBackup/restartDisaster recoveryBusiness continuityEnvironmentalClimate Geographic locationFireContaminantsPhysical Security ControlsFall, 2008IS Security, Audit, and Control (Dr. Zhao)8Facility access (Who has access to the server closet or router/communications closets?)Personnel badgesAlarms and guardsOffice locks and CPU locksWiring closets (Do they have a Wiring diagram?) (Is it current?)Environmental ControlsFall, 2008IS Security, Audit, and Control (Dr. Zhao)9Possible hazards:Natural disastersAirborne contaminantsStatic electricityPower surges, blackouts, and brownoutsAn ExampleFall, 2008IS Security, Audit, and Control (Dr. Zhao)10General controls for a bank:Facility Organization Data Files or ProgramsRecoverability1. Security guard2. Cameras3. Access control w/badges4. Vault5. Timers1. Business strategy2. Regulations3. Board of directors4. Credentials1. Policies2. Procedures3. Access control4. Professional standards5. Change control1. DR plan2. DR testsCoBiTFall, 2008IS Security, Audit, and Control (Dr. Zhao)11Delivery & Support DomainDS3: manage performance and capacityDS4: ensure continuous serviceDS8: assisting and advising information technology customersData Center ReviewsFall, 2008IS Security, Audit, and Control (Dr. Zhao)12Audit program areas (please see the p.348-350):Administration of IT ActivitiesOperating Systems Software and DataComputer/Server Operations/ Business Redemption and ContinuitySecurity AdministrationDate Center Key Areas:Fall, 2008IS Security, Audit, and Control (Dr. Zhao)13Software and Data Security ControlsPhysical and Environmental ControlsData Access ManagementPolicy and Procedure Data and Software Backup ManagementOther Management ControlsAuditing the Call CenterFall, 2008IS Security, Audit, and Control (Dr. Zhao)14In House or OutsourcedFunctionalityIf Outsourced, security of dataMetrics/Monitoring paramountSystems Development Data Integrity and Data SecurityPhysical Security and RecoveryDepartment ResourcesCompliance to Standards/PolicyClass DiscussionFall, 2008IS Security, Audit, and Control (Dr. Zhao)15You are an internal auditor assigned to perform an operations audit of a data center. On reviewing the operations policy and procedures manuals, you find that the manuals appear to be fairly complete and up-to-date.Q: Please describe three audit tests you would perform to test whether the manuals are actually used and