Information Technology Reference
In-Depth Information
Evidence required to be collected by the IS auditor includes reviewing what locking sys-
tems are in use and any logs maintained by IT management to record who accessed the
data centre over a period of time. If the enterprise is using electronic security systems, this
information is automatically logged, and the IS auditor can extract this information from
the application system used to manage access to the data centre.
j) Which environmental controls has the enterprise implemented to protect com-
puting equipment in the data centre?
One of the requirements for the protection of computing equipment in the data centre is to
ensure that an appropriate environment is implemented and maintained. This will ensure
that the equipment in the data centre is protected from physical damage and secure from
unauthorised persons.
There are many types of environmental controls which can be implemented in the data
centre. The enterprise should ensure that the temperature in the data centre is controlled.
This can be done by installing a cooling system in the data centre and operated at a recom-
mended temperature. The enterprise can also install smoke detectors or fire extinguishers
to protect the data centre from fire. Where there are no environmental controls, the IS aud-
itor should advise management on the need to have such controls.
The IS auditor might be required to make a visit to the data centre and conduct a physical
inspection of the data centre. This way, the IS auditor would be able to have first-hand evid-
ence on the environmental controls which have been implemented.
A visit to the data centre will also enable the IS auditor to ask several questions about the
environmental controls in the data centre. Usually there are many controls which are im-
plemented, and the IS auditor is advised to prepare a checklist which can be used whilst on
a visit to the data centre.
k) What systems has the enterprise implemented to provide network security?
IT management should ensure that the internal resources on a network are protected from
hackers or other unauthorised people outside the network. Hackers can also be internal, so
when reviewing network security, this should be taken into consideration.
In order to secure network resources, different measures may be taken. Firewalls may be
implemented and installed on the perimeter of the network. Personal firewalls may also be
implemented on personal computers or laptops to protect workstations from unauthorised
access by both internal and external hackers.
Enterprises that have not implemented network security are at risk of losing their data or
having their systems damaged by unauthorised persons who could be motivated by per-
sonal or commercial reasons. The IS auditor should ensure management is aware of this
situation so that corrective measures can be put in place.
Search WWH ::
Custom Search