Name

Data Center Audit Program

Description
Data center audit program checklist which highlights the major areas to be audited at a data center
visit.
AUDIT OBJECTIVES: To determine that:

 Data center policies and procedures are defined, documented, and communicated for all key functions

 Adequate Prevention of unauthorized access are in place both logically and physically (including 3rd party access)

 Personnel, procedures and responsibilities address employee termination, cross-functional and systems training

 Backup procedures are adequate to minimize business interruption and protect against loss of data in the event of a disaster

 Physical security controls are adequate to prevent unauthorized access to data center areas

 Environmental controls are adequate to minimize hardware/software losses from fire or flood.

 Data transferred off site is secured at all times and appropriate controls are in place to monitor the location of the data;

 Program change controls are adequate to ensure that changes are tested and approved before being moved into production
status

 To ensure that inadequate controls are identified

Name Data Center Audit
Prepared by Odirichi Nwafor  and Olufemi James
Date 9th January 2019

PROCESS CHECKS Comments

Verify existence of policy to
manage data center and
confirm they are documented
and communicated. (The last
review date)  
Verify and review visitor's
policy. Ensure that access to
the data center is monitored,
reviewed.  
Are policies in place for
protection of data center?
Are the policies documented
POLICIES AND and communicated for all key
PROCEDURE functions  
Is there a policy towards
eating, drinking and smoking
in proximity to information
processing facilities and raised
floors?  
Is there a data center physical
environment checklist for the
officer drafted according to
the GIMS data center
management policy  
Is there an Enforcement of
“No Unauthorized  
 Photography” policy and is the
policy documented and
communicated.
Are the procedures for
obtaining physical access to
data center facilities formally
documented and followed  
Verify scheduled preventive
maintenance is planned and
executed  
What controls are in place to
minimize the risk of theft, fire,
explosions, smoke, water,
dust, vibration, chemical
effects, electrical supply
interference &
electromagnetic radiation?  
Is there an inventory of items
at the data center?  
Are system stored in a secure
HARDWARE environment?  
Is the capacity for the data
center adequate for the server
rooms’ equipment and
storage needs  
Is there an asset lifespan and
frequency of failure tracking
medium?  
What policy is in place to
dispose obsolete equipment  
How are sensitive information
on the storage hard drives
retrieved and how are the
hard drives disposed of?  
 Software is licensed  
Data at the center is backed
SOFTWARE up regularly  
Data center software are up to
date  
PHYSICAL Verify that security men are in
PROTECTION place  
Verify that access control
doors are in place and
functional  
Verify that lock and key are in
place. Are the keys to the
computer rooms adequately
controlled to reduce the risk
of unauthorized access?
Are computer terminal
locked?
Are visitors escorted by a
responsible personnel?  
Are the wiring and cabling
well-structured and insulated?
Verify that CCTV is installed
and backed up appropriately
up to 90 days.
(View some sample dates)

What are the environmental

control in place to protect the
servers from fire, electrical
and water damage?
 
Is the alarm control panel
separated from burglar or
security system?
Is the alarm situated in a
control room to prevent
unauthorized access?
Does it have allocated power
from a separated and
dedicated circuit?
Fire Extinguisher: This should
be strategically located and
must be functional
(Check for the last date it was
serviced.)
Are the fire alarm located near
exit door?
Is there fire suppression
system in place?
Is the fire suppression system
segmented such that fire in
one part of the facility does
not affect the whole facility?
What fire suppression
technique is in place?
Smoke detector are available
and functional. Is water
detector available?
Verify that temperature and
humidity is monitored  
Verify that there are no
exterior windows in the server
room area
Verify that security perimeters  
have been established to
protect information
processing facility e.g. walls
and security doors
 Verify that physical access to
data center facilities is logged
and monitored  
Ensure appropriate labelling of
data center equipment and
facilities  
Verify that physical access to
information systems that
store, process or transmit
Institutional Data is secured in
a manner that prevents
unauthorized access  
Verify that physical access to
data center facilities is
reviewed and reauthorized by
a Data Steward or delegate on
a periodic basis  
Are there fire and safety drills  
(Confirm last date and number
of staff participated)  
Is there a provisioning process
for individuals requiring access
LOGICAL to the data center?  
PROTECTION Review access list to the site
and verify that logs are
maintained  
Are qualified officers
managing the data center?  
PEOPLE
Is security training provided to
new and existing employees?  
Are computer room policy
documented and
communicated to all visitors
including 3rd party for them to
 know about the dos and
don’ts of computer room?

Verify that register of visitor

reconcile with corresponding
access approvals
Verify that preventive
maintenance are done and
confirm the last date done
with evidence  
What controls have been
considered and implemented
to ensure power and
telecommunications cabling
data or supporting
information services is
protected from interception
or damage?  
Verify that backup electricity
POWER
supplies are in place to ensure
systems and services are not
affected in the event of a
power outage.
Verify that power outage does
not affect systems and service
availability.
Is the UPS functional and
adequate?

Emergency Power off Switch:

2 should be adequate
(computer room and outside)