Internal Audit Department AUDIT PROGRAM: COMPUTER CENTER -- GENERAL MATTERS, PHYSICAL SECURITY, FIRE PROTECTION, FLOOD PROTECTION, POWER PROTECTION, DISASTER RECOVERY, REMOVABLE MEDIA CONTROL LOCATION: AUDIT DATE: _____________________ PERFORMED BY: REVIEWED BY:____________________ INTRODUCTION: This program has been revised to conform with the findings of the Systems Auditability and Control (SAC) publication of May 1991. If control deficiencies are identified tests should be performed to determine the extent of damage from control breakdown. PRIMARY OBJECTIVES: This audit program is written for computer centers to ensure the following: 1) adequate levels of physical security and fire protection, flood protection, and power protection are provided for computer equipment and data files, 2) sufficient controls exist to protect data files and programs from accidental loss, 3) protective measures were taken to ensure that operations of the location can continue without serious interruption in the event of a disaster that results in loss of the center. A. GENERAL MATTERS: 1. Obtain or prepare a floor plan of the computer installation for the permanent file. The floor plan should include all center facilities and their boundaries. The facilities should include all applicable areas, such as, the computer room, file library, data control, data input, and data distribution. Work-papers regarding physical aspects of the center should be cross-referenced to the diagram. Obtained Information (Y/N) Date Auditor x Source: Results: 2. Obtain an organization chart of the computer services department that shows the number of employees, names, and job titles. Identify the key personnel and include this information in the workpapers for the activity. Obtained Information (Y/N) Date Auditor x Source: Results: 3. Obtain a listing of all computer systems in use at the location. Include this information in the workpapers for the activity. Obtained Information (Y/N) Date Auditor x Source: Results: B. PHYSICAL SECURITY: PRIMARY OBJECTIVES: This audit program is to determine that the center was constructed in accordance with best business practices, provides adequate physical security, and that access to the center, computer programs and related documentation is restricted to authorized personnel. 4. Are the access doors to the center kept at a minimum and are they kept closed at all times? Adequate Controls (Y/N) Date Auditor x Source: Results: 5. Do access control devices, activated by a computerized card, allow access to the computer center and is a record kept of all access? Adequate Controls (Y/N) Date Auditor x Source: Results: 6. Describe the controls in place for the assignment of identity cards for temporary as well as for permanent use and verify that identity cards are conspicuously displayed. Adequate Controls (Y/N) Date Auditor x Source: Results: 7. Are controls in place to ensure that unauthorized access results in the sounding of alarms at the door and the security console? Adequate Controls (Y/N) Date Auditor x Source: Results: 8. Are the computer room doors capable of withstanding a physical attack? Adequate Controls (Y/N) Date Auditor x Source: Results: 9. Exits should meet all the exit code requirements in the jurisdiction in which they operate and fulfill national handicapped legislation requirements. Adequate Controls (Y/N) Date Auditor x Source: Results: 10. Are physical security and fire protection system switches or panels protected from unauthorized access? Adequate Controls (Y/N) Date Auditor x Source: Results: 11. Are visitors identified separately from persons with a frequent need to access the computer room? Adequate Controls (Y/N) Date Auditor x Source: Results: 12. Are complete security emergency procedures available to all computer center personnel and filed in the local Security Office? Adequate Controls (Y/N) Date Auditor x Source: Results: 13. Describe the controls in place to ensure that access is secured during off-hours. If intrusion alarms are used, they must be tested. If security patrols the computer room, clock card evidence must be available. Adequate Controls (Y/N) Date Auditor x Source: Results: 14. For new computer facilities, the detailed plans including layout, construction, security, and fire protection features should have been reviewed and approved prior to the commencement of work. Prepare a workpaper and describe the plans made if you are at a new facility. Adequate Controls (Y/N) Date Auditor x Source: Results: C. FIRE PROTECTION: PRIMARY OBJECTIVE: Determine compliance with best business practices for practical fire protection of computer center facilities. 15. Are the construction materials masonry, wood sandwich panel (1" gypsum core), or a blank metal partition? Are they fire resistant (non-combustible) materials with combustibles kept to a minimum. Adequate Controls (Y/N) Date Auditor x Source: Results: 16. Do computer center walls extend from the floor to the ceiling, through any raised floors or false ceilings? Adequate Controls (Y/N) Date Auditor x Source: Results: 17. Heat producing equipment like coffee pots, space heaters, bursters, decollaters etc. should not be in the computer room. Adequate Controls (Y/N) Date Auditor x Source: Results: 18. Debris and all unused cables should not be allowed to accumulate under the raised floors. Adequate Controls (Y/N) Date Auditor x Source: Results: 19. Smoking should not be permitted in the computer center. Adequate Controls (Y/N) Date Auditor x Source: Results: 20. Paper supplies in the computer room should be in metal cabinets. Adequate Controls (Y/N) Date Auditor x Source: Results: 21. All waste containers in the computer center should be the self-extinguishing type. Adequate Controls (Y/N) Date Auditor x Source: Results: 22. Describe the type and location of smoke and fire detection used. Ensure that smoke or heat will be detected within the entire space. Make sure that the alarms sound at the security console. Include the latest test results for the system as part of the workpapers. Adequate Controls (Y/N) Date Auditor x Source: Results: 23. Describe the automatic fire protection used by the center. Include the latest test results for the system as part of the workpapers. Adequate Controls (Y/N) Date Auditor x Source: Results: 24. Emergency power disconnects should be located in a secure, but protected area. Adequate Controls (Y/N) Date Auditor x Source: Results: 25. Are manual or automated procedures in place to ensure that electricity to the equipment is cut off before any water system are released into the computer room. Adequate Controls (Y/N) Date Auditor x Source: Results: 26. Fire extinguishers should be readily accessible, well marked, and tested semi-annually. Floor pullers should be located near fire extinguishers. Adequate Controls (Y/N) Date Auditor x Source: Results: 27. The ducts on building air conditioning systems that pass through the computer room should have automatic fire dampers. Adequate Controls (Y/N) Date Auditor x Source: Results: 28. Verify that physical access to the computer center is not possible through the ventilation system. Adequate Controls (Y/N) Date Auditor x Source: Results: 29. Personnel should be given annual training in the steps to be followed in the event of a fire, the training should meet local code requirements and records should be maintained. Adequate Controls (Y/N) Date Auditor x Source: Results: D. FLOOD PROTECTION PRIMARY OBJECTIVE: Determine compliance with best business practices for protection from water damage associated with accidental release of water into a computer center. 30. Describe all water detection or prevention systems in place in or near the computer center. Include documentation on moister detection and drip trays. Adequate Controls (Y/N) Date Auditor x Source: Results: 31. Are water carrying lines well away from the computer equipment? Are water based fire suppression systems dry line? Adequate Controls (Y/N) Date Auditor x Source: Results: E. POWER PROTECTION PRIMARY OBJECTIVE: Determine compliance with best business practices for practical protection from interruption of the normal power supply. 32. Describe how power is deployed into the computer center and all backup power supplies available in the event of a power failure. Adequate Controls (Y/N) Date Auditor x Source: Results: 33. Are environmental controls on backup power, in addition to the actual computer equipment? Adequate Controls (Y/N) Date Auditor x Source: Results: 34. What is the preventative maintenance schedule of the generators and UPS systems? Include copies of the last preventative maintenance of the systems in the work papers. Adequate Controls (Y/N) Date Auditor x Source: Results: 35. Are written procedures in place to switch over to backup power? Are all computer room personnel trained on those procedures? Adequate Controls (Y/N) Date Auditor x Source: Results: F. DISASTER RECOVERY - REMOVEABLE MEDIA PRIMARY OBJECTIVES: Determine that adequate control procedures were established to ensure effective and reasonable cost-recovery from fire or other disaster and ensure that these procedures are followed. Determine adequacy of physical control for all removable media. verification of rental billings, and control of accountable documents are being followed. 36. Describe the disaster recover plan in place for recovery from fire or other disaster. Adequate Controls (Y/N) Date Auditor x Source: Results: 37. Determine if the disaster plan is appropriate and conforms to standards in content. Remote storage should be in a separate building. Adequate Controls (Y/N) Date Auditor x Source: Results: 38. Review and determine if written agreements and/or tests conducted ensure that the plan will work. Compatibility between equipment and software is mandatory. Adequate Controls (Y/N) Date Auditor x Source: Results: 39. Describe the controls in place for the storage available for magnetic tapes and disks. Physical inventory records should be maintained. Storage facilities should be kept locked during unattended periods. If robots are used make sure the tapes are protected from unauthorized use. Adequate Controls (Y/N) Date Auditor x Source: Results: 40. Describe the controls in place for restoring data files from backups, both into production and into another directory. Adequate Controls (Y/N) Date Auditor x Source: Results: 41. Are pre-employment investigations performed? Adequate Controls (Y/N) Date Auditor x Source: Results: 42. Are equipment rental or maintenance contracts and bills in agreement with equipment installed? Adequate Controls (Y/N) Date Auditor x Source: Results: ?? AP Computer Centers Page 1 of 8