Importance of Is Audit of It Environmental Controls
Essay by people • June 25, 2011 • Essay • 928 Words (4 Pages) • 1,986 Views
The main technique used to audit environmental controls involves the IS auditor first determining what IT governance is in place covering environmental control requirements for key types of equipment (e.g., servers, firewalls) and facilities. The IS auditor should then tour the IPF or similar locations where computer and network equipment is housed, look for items such as smoke detectors and fire extinguishers, and confirm the presence of inspection tags or reports for specialized equipment such as alarm systems and backup power supplies. The IS auditor should also follow and apply testing procedures to any offsite storage and processing facilities.
Specifically, IS auditor's responsibilities include the following:
Visit the computer room to visually verify the presence of water and smoke detectors.
Determine that the power supply to these detectors is sufficient, especially in instances of battery-operated devices. Also, the locations of the devices should be clearly marked and visible.
Verify that handheld fire extinguishers are placed in strategic high-visibility locations throughout the facility and are inspected annually.
Review documentation to ensure the fire suppression system has been inspected and tested at intervals that comply with industry and insurance standards and guidelines.
Verify that a local fire department inspector or insurance evaluator has recently inspected the facilities. If so, a copy of the report should be obtained, and appropriate personnel should determine how to address the deficiencies that were noted.
Review documentation that identifies the fire rating of the wall surrounding the IPF to verify that these walls have at least a two-hour fire resistance rating.
Visually observe the presence of electrical surge protectors on sensitive and expensive computer equipment.
Locate and review documentation concerning the use and placement of redundant power lines into the IPF.
Observe and evaluate the organization's documented and tested business continuity plan (BCP).
Verify that wiring in the IPF is placed in fire-resistant panels and conduits.
Determine the most recent UPS/generator test date and review the test reports.
Examine the emergency evacuation plan to determine whether it describes how to leave the IPFs in an organized manner that does not leave the facilities physically insecure.
Interview a sample of IS employees to determine whether they are familiar with the documented plan. The emergency evacuation plans should be posted throughout the facilities.
Visit the IPF on regular intervals to determine whether temperature and humidity are adequate. Host-Based and Network-Based Testing
Host-based testing is usually run using a privileged account on a host computer so that it has the unrestricted ability to examine and evaluate many different types of security settings (e.g., account and password policies, file and directory permissions). This can provide an in-depth examination of the security configuration for key mechanisms, such as the operating system or a database management system (DBMS).
Network-based testing is run from a remote computer, and therefore does not normally have privileged access to the target. However, it can identify services being offered that the host-based tool may not test for, including those with potential security flaws. The network-based tool can also help determine what security is provided by devices along the network path, such as firewalls and packet filtering routers, as well as limitations on access from the
...
...