Scribd
Upload
147 views

Computer Center Security and Controls

The document discusses controls for computer center security including physical location away from hazards, solid construction with controlled access, limited access, proper air conditioning, fire suppression system, and fault tolerance controls. It describes audit objectives to assess security controls, physical security procedures like construction and fire detection testing, access control testing, and fault tolerance control and power supply backup verification. It also mentions disaster recovery plans should provide second site backups.

Uploaded by

Syra Soriano
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
147 views

Computer Center Security and Controls

The document discusses controls for computer center security including physical location away from hazards, solid construction with controlled access, limited access, proper air conditioning, fire suppression system, and fault tolerance controls. It describes audit objectives to assess security controls, physical security procedures like construction and fire detection testing, access control testing, and fault tolerance control and power supply backup verification. It also mentions disaster recovery plans should provide second site backups.

Uploaded by

Syra Soriano
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 10

COMPUTER CENTER SECURITY AND

CONTROLS
COMPUTER CENTER CONTROLS
Since the computer resides in an environment which has a critical impact
on its continual operation and availability, site design requires careful planning to
insure an environment that will not adversely affect the computer center's
reliability and security.

With that objective, several key control features that contribute directly to
computer center security are established.
A. Physical Location
 The physical location selected for a computer center can influence the risk of disaster. To the
extent possible, the computer center should be located away from human-made and natural
hazards, such as processing plants, gas and water mains, airports, high-crime areas, flood
plains and geological faults.

B. Construction
 Ideally, a computer center should be located in a single-story building of solid construction
with controlled access. Utility (power and telephone) and communications lines should be
underground. The building windows should not open. An air filtration system should be in
place that is capable of excluding pollens, dust, and dust mites.
C. Access
 Access to the computer should be limited to the operators and other employees who work
there. Programmers and analysts who occasionally need to correct program errors should
maintain accurate records of all such events to verify function of access control. The main
entrance to the computer should be a single door, although fire exits with alarms are necessary.
To achieve a higher level of security, closed-circuit cameras and video recording systems
should monitor access.

D. Air Conditioning
 Computers functions best in an air-conditioned environment. For mainframe computers,
providing adequate air conditioning is often a requirement of the vendor’s warranty.
Computers operate best in a temperature range of 70 to 75 degrees Fahrenheit and a relative
humidity of 50 percent. Logic errors can occur in computer hardware when temperature depart
significantly from this range.
E. Fire Suppression
 The most common threat to a firm’s computer equipment is fire. Half of the companies that
suffer fires go out of business because of the loss of critical records, such as accounts
receivable. The implementation of an effective fire-suppression system requires consultation
with specialists.

F. Fault Tolerance Controls


 Fault tolerance is the ability of the system to continue operation when part of the system fails
because of hardware failure, application program error, or operator error. Implementing
redundant system components can achieve various levels of fault tolerance.
AUDIT OBJECTIVES RELATING TO COMPUTER
CENTER SECURITY

 The audit objectives are to determine whether: (1) controls governing computer

center security are adequate to reasonably protect the organization from physical
damage or losses; (2) insurance coverage on equipment is adequate to compensate
the organization for the destruction of, or damage to, its computer center; and (3)
operator documentation is adequate to deal with system failure as well as routine
operations.
AUDIT PROCEDURES FOR ASSESSING
PHYSICAL SECURITY CONTROLS

A. Tests of Physical Construction

 The auditor should obtain architectural plans to determine that the computer center is solidly
built of fireproof material. There should be adequate drainage under the raised floor to allow
water to flow away in the event of water damage from a fire in an upper floor or from some
other source. In addition, the auditor should assess the physical location of the computer
center. The facility should be located in an area that minimizes its exposure to fire, civil unrest,
and other hazards.
B. Tests of the Fire Detection System
 The auditor should establish that fire detection and suppression equipment, both manual and
automatic, are in place and are tested regularly. The fire detection system should detect smoke,
heat and combustible fumes. The evidence may be obtained by reviewing official fire marshal
records of tests, which are stored at the computer center.

C. Tests of Access Control


 The auditor must establish that routine access to the computer center is restricted to authorized
employees. Details about visitor access (by programmers and others), such as arrival and
departure times, purpose, and frequency of access, can be obtained by reviewing the access
log. To establish veracity of this document, the auditor may covertly observe the process by
which access is permitted.
D. Tests of Fault Tolerance Controls
 Many RAID configurations provide graphical mapping of their redundant disk storage.
From this mapping, the auditor should determine if the level of RAID in place is
adequate for the organization, given the level of business risk associated with disk
failure. If the organization is not employing RAID, the potential for a single point
system failure exists. The auditor should review with the system administrators
alternative procedure for recovering from a disk failure.

E. Power Supplies Back-up


 The auditor should verify from the test records that computer center personnel periodic
tests of the backup power supply to ensure that it has sufficient capacity to run the
computer and air conditioning. These important tests and their results should be
formally recorded.
DISASTER RECOVERY PLAN (DRP)
 is a comprehensive statement of all actions taken before, during, and after a disaster, along
with documented, tested procedures that will endure the continuity of operations. Although the
details of each plans are unique to the needs of the organization, all workable plans possess
common features.

Providing Second-site Backup


 A necessary ingredient in a DRP is that it provides for duplicate data processing facilities
following a disaster. The viable options available include the empty shell, recovery operations
center, and internally provided backup.

You might also like