ITIL : Criteria Facilities Topics Access control and security Protected zones and….

ITILITIL : Criteria Facilities Topics Access control and security Protected zones and….

The evaluation of a data center is carried out on the basis of a large questionnaire for the four categories: facilitiy, staff, technology and procedures as well as on the basis of a comprehensive inspection by the eco authorised auditors (eAA). Criteria Facilities • • • • • • • • Topics Access control and security Protected zones and fire control Raised floors Position in the building Facility feedings Scalability Structure of the building Cleanliness of the data center Weight 25% Technology • • • • • • • Transformer / Main distribution for medium and low voltage 35% Power supplier AC and DC power supply Emergency power supply, emergency shutdown, lightning protection Air conditioning and air filtration Temperature and humidity Carrier Datacenter star audit 26 Procedure • • • • • • • • • • ITIL conformity Continuity management Existing certifications Access procedure Data security Staff size Multilingual staff Accessibility and availability Qualifications Quality management 20% Staff 20% Performance and fulfillment grades Performance grade 1 ? • • • • • • • • • • • • Basic air conditioning (n)[14] Basic power supply (n) A UPS (perpetual quality power, overvoltage protection, etc.) designed with (n) 5 minutes hold-up time to shut down the operation systems Devices for the detection of fire (smoke alarm) and for fire fighting (fire extinguisher) Architectural separation of the computer room from other spaces by the minimum F30/T30 (German-specific rating system for fire-resistance) Several fire sections in the data center are not necessary Heat dissipation performance: 220-320 W/m² Minimum physical access protection (steel doors/security locks/windowless room or secured window) and a warning system/break-in security Certified staff for the operation of the servers (network technology/operation system) Stable network connection (min. 1 internet access provider, 1 independent network connection) Basic supply routes Evaluation Period: 1 Year • Limited operation because of maintenance: 2 downtimes over 14 hours • Availability of the data center: 99.2% per year • 2-3 outages per year with a downtime of respectively 5 hours[15] Performance grade 2 ?? • • • • • • • • • • • Basic air conditioning (n) Basic power supply (n) A UPS (perpetual quality power, overvoltage protection, etc.) designed with (n) 8 minutes hold-up time to shut down the operation systems Devices for the detection of fire (smoke alarm) and for fire fighting (fire extinguisher) Architectural separation of the computer room from other spaces by the minimum F30/T30 (German-specific rating system for fire-resistance) Several fire sections in the data center are not necessary Heat dissipation performance: 220-320 W/m² Physical access protection (steel doors/security locks/windowless room or secured window) with a mental identification feature and a warning system/break-in security Certified staff for the operation of the servers (network technology/operation system) Stable network connection (min. 2 providers, 2 independent network connections) Datacenter star audit • Basic supply routes Evaluation Period: 1 Year • Limited operation because of maintenance: 2 downtimes over 12 hours • Availability of the data center: 99.671% per year, annual downtime 28.8 hours • 2-3 outages per year with a downtime of respectively 4 hours 27 Performance grade 3 ??? • • • • • • • Air conditioning (n) Redundant power supply (n+1) Diesel generator A UPS (perpetual quality power, overvoltage protection, etc.) designed with (n) 8 minutes hold-up time to shut down the operation systems Devices for the detection of fire (smoke alarm) and for fire fighting (fire extinguisher) Architectural separation of the computer room from other spaces by the minimum F30/T30 (German-specific rating system for fire-resistance) • Several fire sections in the data center are not necessary • Heat dissipation performance: 430-800 W/m² • Process of an individualised authentication (biometrics or mental identification feature) • ITIL process maturation grade 2 (mostly documented and adjusted to the ITIL model) • Physical access protection (steel doors/security locks/windowless room or secured window) with logging and a warning system/break-in security • Certified staff for the operation of the servers (network technology/operation system) • Stable network connection (min. 2 Internet access providers, 2 independent network connections) • Basic supply routes Evaluation Period: 2 Years • Limited operation because of maintenance: 3 downtimes for 12 hours • Availability of the data center: 99.671% per year, downtime 22 hours • 2 outages per year with a downtime of respectively 4 hours Performance grade 4 ???? • • • • • • • • • • • • Air conditioning (n+1) + UPS connection Redundant power supply (n+1) and 2 facility feedings Diesel generator A UPS (perpetual quality power, overvoltage protection, etc.) designed with (n) 8 minutes hold-up time to shut down the operation systems Devices for the detection of fire (smoke alarm) and for fire fighting (fire extinguisher) Architectural separation of the computer room from other spaces by the minimum F30/T30 (German-specific rating system for fire-resistance) Several fire sections in the data center are not necessary Heat dissipation performance: 430-1400 W/m² Process of an individualised authentication (biometrics or mental identification feature) Access to the data center: at least 2 door systems ITIL process maturation grade 2 (mostly documented and adjusted to the ITIL model) • Physical access protection (steel doors/security locks/windowless room or secured window) with logging and a warning system/break-in security • Certified staff for the operation of the servers (network technology/operation system) Datacenter star audit • Stable network connection (min. 2 Internet access providers, 2 independent network connections) • Basic supply routes Evaluation Period: 5 Years • Limited operation because of maintenance: 2 downtimes for 4 hours • Availability of the data center: 99.982% per year, downtime 1.6 hours • 2 outages per year with a downtime of respectively 4 hours 28 Performance grade 5 ????? • Air conditioning (n+2) + UPS connection (n+1) • Redundant power supply (n+2) and 2 facility feedings (n+2 can be realized with a technical circuit and substantiated by service level agreements) • 2 x diesel generator • A UPS (perpetual quality power, overvoltage protection, etc.) designed with a minimum of (n+1) • 20 minutes hold-up time to shut down the operation systems • Devices for the detection of fire (smoke alarm) and for fire fighting (fire extinguisher), VESDA system • Architectural separation of the computer room from other spaces by the minimum F60/T60 (German-specific rating system for fire-resistance) • • • • • • • • Several fire sections in the data center are necessary Heat dissipation performance: >= 1500 W/m² Process of an individualised authentication (biometrics or mental identification feature) Access to the data center: at least 2 door systems Optical turnstile for customer entrance ITIL process maturation grade 4 (completely documented and adjusted to the ITIL model) Documented Procedures (EG

With the help of ISO 27001, ISO 20000, ISO 9001) Physical access protection (steel doors/security locks/windowless room or secured window) with logging and a warning system/break-in security • Certified staff for the operation of the servers (network technology/operation system) • Stable network connection (min. 5 Internet access providers, 2 independent network connections) • Supply routes doubled Evaluation Period: 5 Years • No limited operation because of maintenance • Availability of the data center: 99.991% per year, downtime 0.8 h • 1 outage per year with a maximum downtime of 4 h Fulfillment grade In considering the calculated performance grade (%) derived from the questionnaire’s responses and the inspection, the result can be assigned to one of the five fulfillment grades (DC Stars).[16] Datacenter star audit 29 Fulfillment grade 1 2 3 4 5 Percent 35 – 54% 55 – 64% 65 – 74% 75 – 89% ? Stars ?? ??? ???? — References [1] http:/ / www.

Isaca.

Org [2] http:/ / www.

Pcaobus.

Org [3] http:/ / www.

Deloitte.

Com [4] http:/ / www.

Itgi.

Org [5] http:/ / www.

Findarticles.

Com/ p/ articles/ mi_m4153/ is_n3_v48/ ai_10819174 [6] http:/ / www.

Theiia.

Org [7] http:/ / www.

Cavebear.

Com/ nsf-dns/ pa_history.

Htm [8] http:/ / legal.

Web.

Aol.

Com/ resources/ legislation/ comfraud.

Html [9] http:/ / www.

Epic.

Org/ crypto/ csa/ [10] http:/ / www.

Ftc.

Gov/ foia/ privacy_act.

Htm [11] http:/ / legal.

Web.

Aol.

Com/ resources/ legislation.

Ecpa.

Html [12] http:/ / www.

Aicpa.

Org [13] http:/ / www.

Issa.

Org [14] http:/ / www.

Ftc.

Gov/ privacy/ glbact [15] http:/ / www.

Theiia.

Org/ itaudit/ ?fuseaction=catref& catid=44 [16] http:/ / www.

Leginfo.

Ca.

Gov/ cgi-bin/ displaycode?section=fin& group=04001-05000& file=4050-4060 [17] http:/ / www.

Fasb.

Org COBIT COBIT is a framework created by ISACA.

It is a framework for information technology (IT) management and IT Governance.

It is a supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. Overview COBIT was first released in 1996, the current version, COBIT 4.1 was published in 2007 and is currently being updated (COBIT 5 [1]).

Its mission is “to research, develop, publicize and promote an authoritative, up-to-date, international set of generally accepted information technology control objectives for day-to-day use by business managers, IT professionals and assurance professionals.”. [2] COBIT defines 34 generic processes to manage IT.

Each process is defined together with process inputs and outputs, key process activities, process objectives, performance measures and an elementary maturity model.

The framework supports governance of IT by defining and aligning business goals with IT goals and IT processes. COBIT Framework The framework provides good practices across a domain and process framework.

The business orientation of COBIT consists of linking business goals to IT goals, providing metrics and maturity models to measure their achievement, and identifying the associated responsibilities of business and IT process owners.

The process focus of COBIT is illustrated by a process model that subdivides IT into four domains (Plan and Organize, Acquire and Implement, Deliver and Support and Monitor and Evaluate) and 34 processes in line with the responsibility areas of plan, build, run and monitor.

COBIT is focused on what is required to achieve adequate management and control of IT, and is positioned at a high level.

It has been aligned and harmonized with other, more detailed, IT standards and good practices as COSO, ITIL, ISO 27000, CMMI, TOGAF and PMBOK.

COBIT acts as an integrator of these different guidance materials, summarizing key objectives under one umbrella framework that link the good practice models with governance and business requirements. COBIT 33 Releases COBIT has had four major releases: • In 1996, the first edition of COBIT was released. • In 1998, the second edition added “Management Guidelines”. • In 2000, the third edition was released. • In 2003, an on-line version became available. • In December 2005, the fourth edition was initially released. • In May 2007, the current 4.1 revision was released. Components The COBIT components include:: • Framework: Organise IT governance objectives and good practices by IT domains and processes, and links them to business requirements • Process descriptions: A reference process model and common language for everyone in an organisation.

The processes map to responsibility areas of plan, build, run and monitor. • Control objectives: Provide a complete set of high-level requirements to be considered by management for effective control of each IT process. • Management guidelines: Help assign responsibility, agree on objectives, measure performance, and illustrate interrelationship with other processes • Maturity models: Assess maturity and capability per process and helps to address gaps.

Other ISACA Publications [3] based on the COBIT framework include: • • • • • • • • • • • • Board Briefing for IT Governances, 2nd Edition COBIT and Application Controls COBIT Control Practices, 2nd Edition IT Assurance Guide: Using COBIT Implementing and Continually Improving IT Governance COBIT Quickstart, 2nd Edition COBIT Security Baseline, 2nd Edition IT Control Objectives for Sarbanes-Oxley, 2nd Edition IT Control Objectives for Basel II COBIT User Guide for Service Managers COBIT Mappings (to ISO/IEC 27002, CMMI, ITIL, TOGAF, PMBOK etc.) COBIT Online COBIT 34 COBIT and Sarbanes Oxley Companies that are publicly traded in the US are subject to the Sarbanes-Oxley Act of 2002.

COBIT is the framework used by most companies to comply with Sarbanes-Oxley. References • • • • ISACA [4] Custodians of COBIT COBITCampus [5] COBIT education provided by ISACA ISO/IEC 20000 international standard for IT Service Management ISO/IEC 27000 Information Security Management Systems standards Notes [1] http:/ / www.

Isaca.

Org/ cobit5 [2] ITGI. “COBIT 4.1 Executive Summary” (http:/ / www.

Isaca.

Org/ Knowledge-Center/ cobit/ Documents/ COBIT4.

Pdf).

COBIT 4.1 Executive Summary.

ITGI. . [3] http:/ / www.

Isaca.

Org/ Knowledge-Center/ cobit/ Pages/ Products.

Aspx [4] http:/ / www.

Isaca.

Org/ [5] http:/ / cobitcampus.

Isaca.

Org/ Host protected area — Professional certifications • • • • • • • • • • • • Certified Information System Auditor (CISA) Certified Internal Auditor (CIA) Certification and Accreditation Professional (CAP) Certified Computer Professional (CCP) Certified Information Privacy Professional (CIPP) Certified Information Systems Security Professional (CISSP) Certified Information Security Manager (CISM) Certified Public Accountant (CPA) Chartered Accountant (CA) Chartered Certified Accountant (CCA) GIAC Certified System & Network Auditor (GSNA)[9] Certified Information Technology Professional (CITP), to certify, auditors should have 3 years experience. Emerging Issues There are also new audits being imposed by various standard boards which are required to be performed, depending upon the audited organization, which will affect IT and ensure that IT departments are performing certain functions and controls appropriately to be considered compliant.

An example of such an audit is the newly minted SSAE 16 [10] . References [1] Richard A.

Goodman; Richard Arthur Goodman; Michael W.

Lawless (1994).

Technology and strategy: conceptual models and diagnostics (http:/ / books.

Google.

Com/ books?id=GIRdX9hIL1EC).

Oxford University Press US.

ISBN 9780195079494. .

Retrieved May 9, 2010. [2] http:/ / www.

Theiia.

Org/ bookstore/ product/ it-auditing-an-adaptive-process-1263.

Cfm [3] “Advanced System, Network and Perimeter Auditing” (http:/ / www.

Sans.

Org/ security-training/ auditing-networks-perimeters-and-systems-6-mid). . [4] “Institute of Internal Auditors” (http:/ / www.

Theiia.

Org). . [5] “The SANS Technology Institute” (http:/ / www.

Sans.

Org). . [6] “ISACA” (http:/ / www.

Isaca.

Org). . [7] Hoelzer, David (1999-2009).

Audit Principles, Risk Assessment & Effective Reporting.

SANS Press.

P. 32. [8] http:/ / www.

Norea.

Nl [9] “GIAC GSNA Information” (http:/ / www.

Giac.

Org/ certifications/ audit/ gsna.

Php). . [10] http:/ / www.

Ssae-16.

Com External links • A career as Information Systems Auditor (http://www.networkmagazineindia.com/200312/securedview01.

Shtml), by Avinash Kadam (Network Magazine) • Federal Financial Institutions Examination Council (http://www.ffiec.gov/ffiecinfobase/booklets/audit/audit.

Pdf) (FFIEC) • Information Systems Audit & Control Association (http://www.isaca.org/) (ISACA) • Open Security Architecture- Controls and patterns to secure IT systems (http://www.opensecurityarchitecture.

Org) • American Institute of Certified Public Accountants (http://www.aicpa.org/) (AICPA) • IT Services Library (http://www.itil-officialsite.com/home/home.asp) (ITIL) Information technology audit process 49 Information technology audit process Information technology audit process: Generally Accepted Auditing Standards (GAAS) In 1947, the American Institute of Certified Public Accountants (AICPA) adopted GAAS to establish standards for audits.

The standards cover the following three categories: • General Standards – relates to professional and technical competence, independence, and professional due care. • Field Work Standards – relates to the planning of an audit, evaluation of internal control, and obtaining sufficient evidential matter upon which an opinion is based. • Reporting Standards – relates to the compliance of all auditing standards and adequacy of disclosure of opinion in the audit reports.

If an opinion cannot be reached, the auditor is required to explicitly state their assertions. Information Technology Audit Process Overview The auditor must plan and conduct the audit to ensure their audit risk (the risk of reaching an incorrect conclusion based on the audit findings) will be limited to an acceptable level.

To eliminate the possibility of assessing audit risk too low the auditor should perform the following steps: 1.

Obtain an Understanding of the Organization and its Environment: The understanding of the organization and its environment is used to assess the risk of material misstatement/weakness and to set the scope of the audit.

The auditor’s understanding should include information on the nature of the entity, management, governance, objectives and strategies, and business processes. 2.

Identify Risks that May Result in Material Misstatements: The auditor must evaluate an organization’s business risks (threats to the organization’s ability to achieve its objectives).

An organization’s business risks can arise or change due to new personnel, new or restructured information systems, corporate restructuring, and rapid growth to name a few. 3.

Evaluate the Organization’s Response to those Risks: Once the auditor has evaluated the organization’s response to the assessed risks, the auditor should then obtain evidence of management’s actions toward those risks.

The organization’s response (or lack thereof) to any business risks will impact the auditor’s assessed level of audit risk. 4.

Assess the Risk of Material Misstatement: Based on the knowledge obtained in evaluating the organization’s responses to business risks, the auditor then assesses the risk of material misstatements and determines specific audit procedures that are necessary based on that risk assessment. 5.

Evaluate Results and Issue Audit Report: At this level, the auditor should determine if the assessments of risks were appropriate and whether sufficient evidence was obtained.

The auditor will issue either an unqualified or qualified audit report based on their findings. Information technology audit process — 625 SAS 94 In 2001, SAS 55 was amended by SAS 94 [4], titled “The Effect of Information Technology on the Auditor’s Consideration of Internal Control in a Financial Statement Audit”.

SAS 94 obliges the financial statement auditors to place an increased focus on the increasing role of information technology on meeting financial reporting objectives.

Given this change, SAS 70 reports are now placing similar emphasis on information technology’s role in the control environment of service organizations.

This helps to ensure that the SAS 70 report contains all of the information required by user organization auditors. SAS 109 In 2006, SAS 55 was superseded by SAS 109 (codified as AU 314 [5]) which provided an expanded theory regarding an auditor’s responsibility to understand the entity under audit including the information systems employed by the entity under audit among other items.

This understanding is to be used in determining certain risks associated with the financial statements and audit. Changing uses of the SAS 70 Over the last few years, the use of the SAS 70 audit has migrated to be used in non-traditional ways.

Companies in the financial services industry are being required to show adequate oversight of service providers, such as obtaining a SAS 70 review conducted to comply with Gramm-Leach-Bliley Act (GLBA) requirements.

Service organizations which provide services to healthcare companies are often asked by their clients to have a SAS 70 audit conducted to ensure an independent third party has examined the controls over the processing of sensitive healthcare information.

While some companies utilize the SAS 70 audit to promote themselves in the “Other Information Provided by Service Organization” section, the more appropriate application is to utilize properly modified objectives from internal control framework(s) appropriate to their industry and company; such as COSO, COBIT for SOX, ISO, ITIL, BITS, or the AICPA’s Trust Principles (which are specifically applicable to SysTrust or WebTrust services). Users of SAS 70 audit reports User auditor Traditionally, service auditor reports are primarily used as auditor-to-auditor communication.

The auditors of the service organization’s customers (IE

User auditors) can use the service auditor’s report to gain an understanding of the internal controls in operation at the service organization.

Additionally, Type II service auditor reports can be used by the user organizations’ auditors to assess internal control risk for the purposes of planning and executing their financial audit. Other third parties external to service organizations Service auditor reports are growing in popularity and are being used by customers, prospective customers and financiers to gain an understanding of the control environment of outsourcing companies.

In some cases, these third parties are not intended users of the report, but still find value in using the report as third party independent verification that controls are in place and are operating effectively.

Unless the report is noted for restricted use only by the CPA firm, the service organization retains control of distributing the report.

Every Service Auditor’s report contains an auditor’s opinion letter.

The opinion letter is required to contain a paragraph that defines the authorized user of the report.

On rare occasions, this paragraph is limited to a specific third party, which may or may not be a user organization.

Use of the report is typically restricted to the service organization’s management, its customers, and the financial statement auditors of its customers.

Typically, a statement in the final paragraph states: Statement on Auditing Standards No. 70: Service Organizations This report is intended solely for use by the management of XYZ Service Organization, its user organizations, and the independent auditors of its user organizations. 626 Financial statement auditor of service organization The report is not designed to support the financial statement auditors of the service organization, because the service organization’s own financial reporting IT controls are not the target of a SAS 70 audit.

The environment supporting user organization’s processes is the SAS 70 audit scope.

However, a service organization’s external auditor’s Entity Level Control Considerations may be useful for a SAS 70 report.

Other auditing standards address the appropriate process to obtain client authorizations for auditors of different firms to obtain audit information about a shared client, which may include the sharing of workpapers and reports between the auditors.

Read more about ITIL : Criteria Facilities Topics Access control and security Protected zones and….:

Accredited ITIL Foundation, Intermediate and Expert Certifications

Accredited ITIL Foundation, Intermediate and Expert Certifications, Learn more about ITIL HERE:

ITIL and ITIL : Criteria Facilities Topics Access control and security Protected zones and….

ITIL - ITIL : Criteria Facilities Topics Access control and security Protected zones and….

ITIL and ITIL : Criteria Facilities Topics Access control and security Protected zones and….

ITIL - ITIL : Criteria Facilities Topics Access control and security Protected zones and….