Audit Process in Security Audit

Audit planning & preparation

The auditor should be adequately educated about the company and its critical business activities before conducting a data center review. The objective of the data center is to align data center activities with the goals of the business while maintaining the security and integrity of critical information and processes. To adequately determine if whether or not the client’s goal is being achieved, the auditor should perform the following before conducting the review:

Meet with IT management to determine possible areas of concern
Review the current IT organization chart
Review job descriptions of data center employees
Research all operating systems, software applications and data center equipment operating within the data center
Review the company’s IT policies and procedures
Evaluate the company’s IT budget and systems planning documentation
Review the data center’s disaster recovery plan

Establishing audit objectives

The next step in conducting a review of a corporate data center takes place when the auditor outlines the data center audit objectives. Auditors consider multiple factors that relate to data center procedures and activities that potentially identify audit risks in the operating environment and assess the controls in place that mitigate those risks. After thorough testing and analysis, the auditor is able to adequately determine if the data center maintains proper controls and is operating efficiently and effectively.

Following is a list of objectives the auditor should review:

Personnel procedures and responsibilities including systems and cross-functional training
Change management processes are in place and followed by IT and management personnel
Appropriate back up procedures are in place to minimize downtime and prevent loss of important data
The data center has adequate physical security controls to prevent unauthorized access to the data center
Adequate environmental controls are in place to ensure equipment is protected from fire and flooding

Performing the review

The next step is collecting evidence to satisfy data center audit objectives. This involves traveling to the data center location and observing processes and procedures performed within the data center. The following review procedures should be conducted to satisfy the pre-determined audit objectives:

Data center personnel – All data center personnel should be authorized to access the data center (key cards, login ID’s, secure passwords, etc.). Data center employees are adequately educated about data center equipment and properly perform their jobs. Vendor service personnel are supervised when doing work on data center equipment. The auditor should observe and interview data center employees to satisfy their objectives.

Equipment – The auditor should verify that all data center equipment is working properly and effectively. Equipment utilization reports, equipment inspection for damage and functionality, system downtime records and equipment performance measurements all help the auditor determine the state of data center equipment. Additionally, the auditor should interview employees to determine if preventative maintenance policies are in place and performed.

Policies and Procedures – All data center policies and procedures should be documented and located at the data center. Important documented procedures include: data center personnel job responsibilities, back up policies, security policies, employee termination policies, system operating procedures and an overview of operating systems.

Physical security / environmental controls – The auditor should assess the security of the client’s data center. Physical security includes bodyguards, locked cages, man traps, single entrances, bolted down equipment, and computer monitoring systems. Additionally, environmental controls should be in place to ensure the security of data center equipment. These include: Air conditioning units, raised floors, humidifiers and uninterruptible power supply.

Backup procedures – The auditor should verify that the client has backup procedures in place in the case of system failure. Clients may maintain a backup data center at a separate location that allows them to instantaneously continue operations in the instance of system failure.

source

The auditor should have a lot of preparation when performing security audit. To be prepared is the best tool an auditor can carry along with him when performing audit.