Audit of Data Centre Management
1.0 Executive Summary
The Data Centre Management (DCM) Directorate is a unit within the Infrastructure Services Division (ISD). ISD reports to the Chief Informatics Officer (CIO). DCM's mandate is to maximize management and operations of Industry Canada's Data Centre (ICDC), while providing leadership and expertise to the Department's business units in the domains of servers, enterprise data storage and e-mail.
The objective of the audit engagement, as approved in the risk-based audit plan and confirmed in the planning phase of the audit, was to provide assurance that ICDC has adequate controls in place to protect the confidentiality, integrity and availability of Industry Canada's (IC) data and systems.
The scope of the audit engagement covered all aspects of the data centre facility housed at the C.D. Howe complex. The audit also examined DCM's exercise of governance, risk management and control. Furthermore, the audit reviewed the degree to which functional authority is established and exercised over computing facilities where sectors have retained responsibility for the development and support of program-specific Information Technology (IT) systems.
The audit did not include an examination of the computer and server rooms in operation outside of the ICDC (i.e. in Place du Portage, Jean Edmond Towers and regional offices). In addition the audit did not review logical access controls related to any particular applications, databases, or network devices (such as hubs, routers, switches and firewalls).
1.2 Overall Conclusion
The DCM function is mature in terms of operational processes and procedures. The Department has adopted and implemented the project management methodology outlined in the Treasury Board Secretariat (TBS)/CIO Enhanced Management Framework. Review bodies provide oversight to incidents, problems and changes. Furthermore, data centre performance is monitored and reported against service level agreements. The physical environment of the data centre is appropriately monitored and controlled.
However, opportunities exist to address and improve management practices related to the exercise of functional authority over the operation of the Department's computer and server rooms, control over physical access to the data centre, and activities to ensure the continued availability of data centre operations.
1.3 Main Findings
The DCM function is mature in terms of operational processes and procedures. The Department has adopted and implemented the project management methodology outlined in the TBS/CIO Enhanced Management Framework and the Information Technology Infrastructure Library service delivery and service support processes. Review bodies provide oversight to data centre incidents, problems and changes. However, improvement could be made in the following area:
The data centre's performance is monitored and reported against service level agreements. The physical environment of the data centre is appropriately monitored and controlled. However, improvements could be made in the following areas:
Threat and Risk Assessments are appropriately prepared and addressed and review committees discuss and assess risk on an ongoing basis. Problems and incidents are studied to determine root causes and to identify changes required to prevent recurrences. However, improvement could be made in the following area:
- Contacting individuals who did not properly complete log entries; and
- Reminding all ICDC clients of the procedure to be followed when accessing the data centre.
1.5 Statement of Assurance
In my professional judgment as Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the opinion provided and contained in this report. The opinion is based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria that were agreed on with management. The opinion is applicable only to the entities examined and within the scope described herein. This audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada.
1.6 Audit Opinion
In my opinion, the management of Industry Canada's Data Centre has strengths and weaknesses, with moderate risk exposures related to risk management, control, and governance processes relative to the assurance of IT continuity, asset life-cycle management, and the exercise of functional authority that require management attention.
Chief Audit Executive,
- Date modified: