Audit of Data Centre Management

2.0 About the Audit

2.1 Background

Data Centre Management Directorate:

The Data Centre Management Directorate is a unit within the Infrastructure Services Division. ISD reports to the Chief Informatics Office. DCM's mandate is to maximize management and operations of Industry Canada's Data Centre, while providing leadership and expertise to the Department's business units in the domains of servers, enterprise data storage and e-mail. Its mission centers on strengthened relationships and continuous collaboration with partners, stakeholders, and clients.

The mission and vision of the organization are as follows:

The mission and vision of the organization

Mission	Vision
The CIO's mission is to be an organization that maximizes the performance of the department through modern and progressive management of Information Technology (IT) services, policies, and resources.	The CIO's vision is to be recognized for delivering high-quality IT services. In this context, DCM aims to provide world class corporate infrastructure services to its clients in a cost effective manner.

DCM manages the ICDC, located in the C.D. Howe building. The 6,200 square-foot facility houses approximately 400 servers (mostly managed by DCM), and more than 200 Tera-bytes of data storage.

Core Services:

In order to deliver on the mission and vision, DCM Directorate provides the following services:

Computing Facilities

The ICDC is housed in a secure and managed facility at 235 Queen Street. It is a state-of the art facility with independent climate control, fire suppression systems, uninterruptible power supply, continuous monitoring, and generators.

Server Management

The Server Management Team manages and supports the enterprise application server infrastructure. As part of an enhanced service delivery model, the Server Management Team has restructured into two distinct groups: Windows Server Management and UNIX Server Management.

Storage Management

The Storage Management Group is responsible for providing enterprise data storage through multi-tiered storage area network architecture. It engineers data backups, develops archiving and retention strategies, manages data storage capacity and monitors usage trends.

Messaging

The Messaging Services group is responsible for engineering and system management of the corporate e-mail system.

Public Key Infrastructure (PKI)

The PKI service comprises a comprehensive portfolio of capabilities, functions and procedures that maintain secure systems and permit the communication of sensitive information.

2.2 Objective

The objective of the audit engagement, as approved in the risk-based audit plan and confirmed in the planning phase of the audit, is to provide assurance that ICDC has adequate controls in place to protect the confidentiality, integrity and availability of Industry Canada's data and systems.

2.3 Scope

The scope of the audit engagement covered all aspects of the data centre facility housed at the C.D. Howe complex. The audit also examined DCM's exercise of governance, risk management and control. Furthermore, the audit reviewed the degree to which functional authority is established and exercised over computing facilities where sectors have retained responsibility for the development and support of program-specific IT systems.

The audit did not include an examination of the computer and server rooms in operation outside of the ICDC (i.e. in Place du Portage, Jean Edmond Towers and regional offices). In addition the audit did not review logical access controls related to any particular applications, databases, or network devices such as hubs, routers, switches and firewalls.

2.4 Methodology

The audit criteria focus on providing assurance of the adequacy of the DCM's controls in protecting the confidentiality, integrity and availability of the Department's IT assets. Linkages were made between the Control Objectives for Information and related Technology (COBIT — a set of best practices for information technology management) and Treasury Board Secretariat's Core Management Controls (CMCs); therefore the assessment of the CMCs is also an assessment of the corresponding COBIT criteria. Refer to Appendix A for a list of audit criteria used.

This internal audit was conducted in accordance with the Treasury Board Policy on Internal Audit and Internal Auditing Standards for the Government of Canada. The audit approach consisted of the following:

• Documentation review: 29 key documents were reviewed.
• Interviews: A total of 14 interviews with CIO, DCM, and Building Management staff were conducted for inquiry and corroboration.

The information gathered through these procedures was analyzed and assessed against the audit criteria developed during the planning stage of the audit. These criteria have been shared with the client.

Audit fieldwork was conducted during June and July 2010.