DOC

IT Physical Security Core Audit Program

By Lester Davis,2014-11-13 15:03
13 views 0
IT Physical Security Core Audit Program

    Core Audit Program

    Information Technology Physical Security

    I. Audit Approach

    As an element of the University’s core business functions (payroll, financials, student, and medical), Physical Security of IT Resources will be audited every three years using. The minimum requirements set forth in the General Overview and Risk Assessment section, below, must be completed for the audit to qualify for core audit coverage. Following completion of the general overview and risk assessment, the auditor will use professional judgment to select specific areas for additional focus and audit testing. Specifically the minimum scope of the risk assessment and audit will include the following as they relate to the Campus Data Center:

; Environmental Controls

    ; Natural Disaster Controls

    ; Supporting Utilities Controls

    ; Physical Protection and Access Controls

    ; System Reliability

    ; Physical Security Awareness and Training

    ; Contingency Plans

    The estimated audit time for all sections is 260 hours. This estimate does not including

    report writing, exit meetings, working paper sign off, and work paper cross referencing.

    II. General Overview and Risk Assessment (60 hours)

    For Campus, Medical Center, and Lab central IT management; general overview procedures will include interviews of department management and key personnel; a review of available financial reports; evaluation of policies and procedures associated with business processes; inventory of compliance requirements; consideration of key operational aspects; and an assessment of the information systems environment. During the general overview, a detailed understanding of the management structure, significant financial and operational processes, compliance requirements, and information systems will be obtained (or updated).

    As needed, the general overview will incorporate the use of internal control questionnaires process flowcharts, and the examination of how documents are handled for key processes.

    IT physical security defines the various measures or controls that protect an organization from a loss of computer processing capabilities caused by theft, fire, flood, intentional destruction, unintentional damage, mechanical equipment failure and power failures. Physical security measures should be sufficient to deal with foreseeable threats.

    Page 1 of 9

    Reviewed by Doug Huff/LLNL 10/15/03

    IT Auditor’s Core Audit

    Audit Procedures

    Information Technology Physical Security

    Updated July 3, 2003

    A. The following table summarizes audit objectives and corresponding high-level risks

    to be considered during the general overview.

    Audit Objective Areas of Risk

    Obtain an understanding of significant ; The IT physical security risk

    processes and practices employed in assessment processes may not

    maintaining and monitoring physical identify key areas of risk including:

    security for IT resources. Specifically o Natural disaster such as fire,

    addressing the following components: earthquake, flooding, etc.

    ; Management philosophy, operating o Environmental controls such

    style, and risk assessment practices as temperature and humidity

    including: controls

    o Awareness and compliance o Theft or malicious

    with applicable laws, destruction

    regulation and polices o Unintentional destruction of

    o Planning and management hardware or data by

    of data center physical untrained employees.

    security financial resources o Mechanical failure of

    o Efficiency and hardware

    Effectiveness Programs o Power interruptions

    ; Organizational structure, and ; IT Management may not monitor

    delegations of authority and physical security outside of the

    responsibility for IT physical centralized computing center,

    security standards, policies, and particularly if the campus has a

    monitoring distributed computing environment

    administered by multiple divisions ; Positions of accountability for

    and departments. financial and programmatic results

    related to IT physical security ; Delegations of authority may be

    inappropriate or non existent for IT ; Process strengths (best practices),

    physical security. weaknesses, and mitigating

    controls ; IT physical security related duties

    may not be included in performance ; Financial Considerations

    evaluations ; Compliance with applicable laws,

    ; Management may not have defined regulations, policies, and

    physical security standards and/or procedures.

    local policies

    ; Management may not have

    committed sufficient financial

    resources to IT physical security

    ; IT security may not be in

    compliance with applicable laws,

    regulations, policies, and

    Page 2 of 9

    Reviewed by Doug Huff/LLNL 10/15/03

    IT Auditor’s Core Audit

    Audit Procedures

    Information Technology Physical Security

    Updated July 3, 2003

    procedures.

    B. The following procedures will be completed as part of the general overview whenever the core audit is conducted.

    1. Determine which managers are responsible for planning, funding, and

    operations of physical security of the Data Center

    2. Interview Key IT managers identified in step 1 to determine:

    ; Management philosophy

    ; Risk assessment processes

    ; Management concerns about physical security of the Data Center

    ; Determine level of awareness and opinions towards UC Policies, laws,

    and regulations related to physical security

    ; Determine if management believes the Data Center has sufficient

    funding to provide adequate physical security

    3. Request the managers responsible for Data Center physical security complete

    the ICQ

    4. Obtain copies of risk assessment documentation and review for reasonableness. 5. Determine if management bases physical security controls on risk assessment. 6. Obtain copies of organization charts for IT management responsible for

    physical security

    7. Obtain job descriptions, and performance evaluations, for key staff members

    and managers responsible for IT physical security.

    ; Verify responsibilities and authority are appropriate and performance

    for IT security duties is reviewed

    ; Verify that percentage of time listed on job description is reasonable to

    perform physical security related functions.

    ; Verify that critical positions are defined and background checks and

    fingerprinting are a condition of employment (in the job description)

    and are actually carried out for a judgment sample.

    8. Determine if Campus has local policies, procedures, standards, or guidelines

    related to IT physical security,

    9. Determine applicable UCOP policies related to physical security 10. Determine applicable State and Federal laws and regulations related physical

    security

    C. Following completion of the general overview steps outlined above, a high-level risk assessment should be performed and documented in an audit workpaper. To the extent necessary, as determined by the auditor, this audit may address aspects of other areas outlined below (financial reporting, compliance, operational efficiency and effectiveness; and information systems). In addition to the evaluations conducted in the general objectives section, the risk assessment should

    Page 3 of 9

    Reviewed by Doug Huff/LLNL 10/15/03

    IT Auditor’s Core Audit

    Audit Procedures

    Information Technology Physical Security

    Updated July 3, 2003

    consider the following: annual expenditures; time since last review, recent audit

    findings; organizational change; regulatory requirements, etc.

    III. Financial (18 hours)

A. The following table summarizes audit objectives and corresponding high-level risks

    regarding financial network management processes.

    Audit Objective Areas of Risk

    Evaluate the adequacy of financial ; Poor investment in physical

    resources, and appropriate financial security controls may allow

    planning consistent with the objectives of unauthorized access to servers and Physical Security. Include the following network equipment

    components: ; Inadequate funding for key

    ; Appropriate investment physical positions with responsibility for IT

    security equipment (alarms, locks physical security may result in poor

    or other physical access controls, monitoring, poor compliance with

    identification badges for high policies and standards, and overall

    security areas, etc.) poor physical security

    ; Appropriate investment in human ; Recharge methodologies and

    resources with direct overhead rate calculations may not

    responsibilities for IT physical provide adequate funding for IT

    security physical security

    ; Appropriate investment in ; Lack of funding may prevent IT

    background checks and departments from complying with

    fingerprinting for critical positions policies, standards, and guidelines

    ; Appropriate development of

    policies and standards

    ; Does IT governance provide

    adequate consideration of

    financial needs?

B. Based on the audit risk assessment the following procedures should be considered

    for additional review when this core audit is conducted:

    1. Determine if physical security has a distinct budget or sub budget.

    2. Obtain and review budget information related to physical security, as needed, if

    lack of budget is cited as a reason for deficiencies in physical security in

    preliminary meeting(s) or if auditor’s preliminary risk assessment indicates

    budget deficiencies are responsible for unacceptable risks as noted above.

    Page 4 of 9

    Reviewed by Doug Huff/LLNL 10/15/03

    IT Auditor’s Core Audit

    Audit Procedures

    Information Technology Physical Security

    Updated July 3, 2003

    3. Determine if physical security risk assessment (performed by IT management)

    is considered in the budgeting process.

    IV. Compliance (52 hours)

    A. The following table summarizes audit objectives and corresponding high-level risks

    regarding compliance with policies and procedures, and regulatory requirements.

    Audit Objective Areas of Risk

    Evaluate the following: ; Lack of adequate policy ; Compliance with UCOP Policies: guidance may result in poor IT

    IS3 physical security

    IS10 ; Lack of training and knowledge

    Other Business and Finance of policies, standards, and

    Bulletins and other University guidelines may result in poor IT

    policies physical security

    Electronic communications policy; ; Poor management

    ; Compliance with Applicable State and communication regarding

    Federal laws and regulations including: expectations (standards and

    HIPAA policies) may result in

    FERPA inappropriate behavior.

    SB 1392 ; Management may not have

    GLBA defined local IT physical security ; Adequacy of and compliance with policies, standards, or guidelines

    local policies, standards and guidelines resulting in poor and

     inconsistent IT physical security,

     particularly in a distributed

    computing environment.

    ; Poor monitoring for compliance

    with policies, standards, and

    guidelines may result poor

    compliance and in IT

    management not knowing

    potential weaknesses and risks.

    ; Improper classification of costs

    may cause regulatory

    compliance concerns (A-21, cost

    accounting standards)

    Page 5 of 9

    Reviewed by Doug Huff/LLNL 10/15/03

    IT Auditor’s Core Audit

    Audit Procedures

    Information Technology Physical Security

    Updated July 3, 2003

    B. Based on the audit risk assessment the following procedures should be considered for additional review when this core audit is conducted:

1. Obtain and review applicable UC policies and procedures

    2. Obtain, and review applicable State and Federal laws and regulations 3. Obtain local policies and procedures related to physical security. 4. Evaluate adequacy local policies and procedures including but not limited to:

    ; Procedures for granting ID badges for high security areas

    ; Procedures related to background checks and fingerprinting for critical

    IT positions.

    ; Procedures for granting keys or electronic access codes to high security

    areas.

    ; Procedures for reviewing access logs to high security areas. 5. Select a judgment sample to test for compliance with applicable laws,

    regulations, policies, and procedures and document in a workpaper. 6. Review management reports and/or conduct interviews to determine how

    management monitors for compliance with applicable laws, regulations,

    policies and procedures

    7. If physical security is funded by Federal Funds determine if cost classification is

    in compliance with A-21.

    Page 6 of 9

    Reviewed by Doug Huff/LLNL 10/15/03

    IT Auditor’s Core Audit

    Audit Procedures

    Information Technology Physical Security

    Updated July 3, 2003

    V. Operational Effectiveness and Efficiency (39 hrs)

    A. The following table summarizes audit objectives and corresponding high-level risks regarding operational effectiveness and efficiency.

    Audit Objective Areas of Risk

    Evaluate management processes,

    specifically addressing the following areas: ; Paying more for services when less

    ; Personnel management (The use expensive alternatives are available.

    of employees vs. contractors); ; Loss of control of IT security (if

    ; Specialization of work contractors are used)

    centralized vs. decentralized ; Unauthorized changes to equipment

    ; Granting physical access (keys or or to the network may affect

    electronic access) and issuing physical security controls. Only

    security badges authorized changes should be

    allowed. ; IT physical security and equipment

    changes affecting IT physical ; Physical access controls may not be

    security. Consider planned vs. ad well designed or implemented, and

    hoc changes may not yield desired results, i.e.

     authorized persons may not be able

    to efficiently gain physical access,

    unauthorized persons may have

    inappropriate physical access to

    servers or other essential electronic

    data resources.

    B. Based on the audit risk assessment the following procedures should be considered for additional review when this core audit is conducted: 1. Determine the extent of physical security services provided by independent

    contractors

    a. If independent contractors are used determine if management has done

    a cost benefits analysis related to using contractors instead of

    employees

    b. If contractors are not used determine if they could perform functions at

    lower cost with greater efficiency without compromising physical

    security controls.

    2. Review procedures and/or interview appropriate staff to determine if change

    controls related to physical security are efficient and effective

    Page 7 of 9

    Reviewed by Doug Huff/LLNL 10/15/03

    IT Auditor’s Core Audit

    Audit Procedures

    Information Technology Physical Security

    Updated July 3, 2003

    3. Review procedure and/or interview appropriate staff to determine if physical

    access controls are efficient and effective based on areas of risk, above.

    VI. Information Systems (91 hrs)

    A. The following table summarizes Areas of Risk

    audit objectives and corresponding high-

    level risks regarding information

    systems. Audit Objective

    Evaluate the following:

     ; The IT physical security procedures

    ; IT management risk ranking may not address and identify

    process and physical security appropriate actions (including

    measures adopted to control communication with decision

    risks. maker) related to:

    o Natural disaster such as fire, ; Physical security for essential

    earthquake, flooding, etc. electronic information resources.

    o Environmental controls such ; Business Continuity Planning

    as temperature and humidity ; Physical access control for

    controls network devices and wiring

    o Theft or malicious closets

    destruction ; Physical security for Information

    o Unintentional destruction of systems, applications, databases,

    hardware or data by electronic interfaces, and

    untrained employees. network cabling, specifically:

    o Mechanical failure of o Physical security access

    hardware controls for buildings

    o Power interruptions o Physical security controls

    ; Building construction and remodels for cabling and wiring

    may compromise physical security. closets

    Building contractor workers may o Physical security and access

    need access to high security areas. controls for data processing

    Lack of ID badges for contractors hardware within buildings

    can lower security standards. o Physical security for data

    media and backups

    o Physical security for data

    access points

    o Business Continuity

    Planning

    ; Physical Planning and

    Construction impact on IT

    physical security

    Page 8 of 9

    Reviewed by Doug Huff/LLNL 10/15/03

    IT Auditor’s Core Audit

    Audit Procedures

    Information Technology Physical Security

    Updated July 3, 2003

    B. Based on the audit risk assessment the following procedures should be considered for additional review when this core audit is conducted:

    1. Observe and evaluate the physical security for a judgment sample of selected

    servers.

    2. Observe and evaluate the physical security for data media and off site backups 3. Use judgment sample testing to determine if compensating controls and written

    procedures exist to react to the following situations. Testing should determine

    if appropriate staff know who decision makers are and if appropriate means to

    communicate with them in emergency situations are established and

    documented. Document testing in standard workpaper.

    ; Natural disaster such as fire, earthquake, flooding, etc.

    ; Environmental controls such as temperature and humidity controls

    ; Theft or malicious destruction

    ; Unintentional destruction of hardware or data by untrained employees.

    ; Mechanical failure of hardware

    ; Power interruptions

    4. Review policies and/or interview appropriate staff in Physical Planning and

    Construction department to determine if procedures exist to assure physical

    security is not compromised in construction projects such as a remodel of the

    Data Center building or room. Building contractor employees should meet

    same security requirements as employees working in the Data Center, i.e.

    picture ID badges, etc. Physical security requirements should be included in

    building blueprints and/or specifications from the time the bidding process

    begins.

    ***

    Page 9 of 9

    Reviewed by Doug Huff/LLNL 10/15/03

Report this document

For any questions or suggestions please email
cust-service@docsford.com