FirstPreviousNext
View all pages

Audit of Data Centre Management

1.0 Executive Summary

1.1 Introduction

The Data Centre Management (DCM) Directorate is a unit within the Infrastructure Services Division (ISD). ISD reports to the Chief Informatics Officer (CIO). DCM's mandate is to maximize management and operations of Industry Canada's Data Centre (ICDC), while providing leadership and expertise to the Department's business units in the domains of servers, enterprise data storage and e-mail.

The objective of the audit engagement, as approved in the risk-based audit plan and confirmed in the planning phase of the audit, was to provide assurance that ICDC has adequate controls in place to protect the confidentiality, integrity and availability of Industry Canada's (IC) data and systems.

The scope of the audit engagement covered all aspects of the data centre facility housed at the C.D. Howe complex. The audit also examined DCM's exercise of governance, risk management and control. Furthermore, the audit reviewed the degree to which functional authority is established and exercised over computing facilities where sectors have retained responsibility for the development and support of program-specific Information Technology (IT) systems.

The audit did not include an examination of the computer and server rooms in operation outside of the ICDC (i.e. in Place du Portage, Jean Edmond Towers and regional offices). In addition the audit did not review logical access controls related to any particular applications, databases, or network devices (such as hubs, routers, switches and firewalls).

1.2 Overall Conclusion

The DCM function is mature in terms of operational processes and procedures. The Department has adopted and implemented the project management methodology outlined in the Treasury Board Secretariat (TBS)/CIO Enhanced Management Framework. Review bodies provide oversight to incidents, problems and changes. Furthermore, data centre performance is monitored and reported against service level agreements. The physical environment of the data centre is appropriately monitored and controlled.

However, opportunities exist to address and improve management practices related to the exercise of functional authority over the operation of the Department's computer and server rooms, control over physical access to the data centre, and activities to ensure the continued availability of data centre operations.

1.3 Main Findings

Governance

The DCM function is mature in terms of operational processes and procedures. The Department has adopted and implemented the project management methodology outlined in the TBS/CIO Enhanced Management Framework and the Information Technology Infrastructure Library service delivery and service support processes. Review bodies provide oversight to data centre incidents, problems and changes. However, improvement could be made in the following area:

Finding 1.0
The CIO is not fully exercising functional authority, at an operational level, over computing facilities where sectors have retained responsibility for the development and support of program-specific IT systems.

Internal Controls

The data centre's performance is monitored and reported against service level agreements. The physical environment of the data centre is appropriately monitored and controlled. However, improvements could be made in the following areas:

Finding 2.0
The standard operating procedures for physical access to the ICDC are not always followed.
Finding 3.0
Servers acquired in 2005–2007 through a one-time investment will require a replacement strategy in 2011–2012.
Finding 4.0
DCM does not have confirmation that a formal Uninterrupted Power Supply Maintenance Agreement is in place.

Risk Management

Threat and Risk Assessments are appropriately prepared and addressed and review committees discuss and assess risk on an ongoing basis. Problems and incidents are studied to determine root causes and to identify changes required to prevent recurrences. However, improvement could be made in the following area:

Finding 5.0
The CIO's IT Continuity and Business Continuity plans are incomplete and untested.

1.4 Recommendations

Recommendation 1.0
It is recommended that the CIO exercise functional authority with respect to the management of the Department's IT infrastructure, computer rooms and server rooms in operation outside of the ICDC.
Recommendation 2.0
It is recommended that the CIO ensure that the sign-in log book is reviewed periodically and that the importance of proper completion of the log book be underscored by:
  • Contacting individuals who did not properly complete log entries; and
  • Reminding all ICDC clients of the procedure to be followed when accessing the data centre.
Recommendation 2.1
It is recommended that the CIO, in conjunction with Facilities Management, ensure access rights are reviewed immediately, and periodically confirm that all individuals with card access rights to the various ICDC card readers have a current requirement for such access.
Recommendation 3.0
It is recommended that the CIO finalize and implement a replacement strategy for servers acquired in 2005–2007 in support of the Department's evergreening initiative.
Recommendation 4.0
It is recommended that the Director, DCM Directorate, in conjunction with Facilities Management, ensure that contract confirmation is received, providing assurance that ICDC facilities-related maintenance contracts are in place, prior to the cessation of the existing contracts.
Recommendation 5.0
It is recommended that the CIO ensure its IT Continuity Plan and Business Continuity Plan are finalized and tested periodically.

1.5 Statement of Assurance

In my professional judgment as Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the opinion provided and contained in this report. The opinion is based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria that were agreed on with management. The opinion is applicable only to the entities examined and within the scope described herein. This audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada.

1.6 Audit Opinion

In my opinion, the management of Industry Canada's Data Centre has strengths and weaknesses, with moderate risk exposures related to risk management, control, and governance processes relative to the assurance of IT continuity, asset life-cycle management, and the exercise of functional authority that require management attention.

Susan Hart
Chief Audit Executive,
Industry Canada

FirstPreviousNext
View all pages