Audit of Data Centre Management
3.3 Internal Control
Data centre performance is monitored and reported against service level agreements. The physical environment of the data centre is appropriately monitored and controlled.
However, improvements could be made in the following areas:
Finding 2.0: Control over Physical Access to the ICDC
The standard operating procedures for physical access to the ICDC are not always followed.
The Treasury Board Operational Security Standard on Physical Security states that "Departments must control access to restricted-access areas using safeguards that will grant access only to authorized personnel." In accordance with the Government Security Policy, Section 10.11, this standard provides baseline physical security requirements to counter threats to government employees, assets and service delivery and to provide consistent safeguarding for the Government of Canada.
The C.D. Howe complex is currently protected by several physical and operational security measures such as a 24/7 guard force, closed-circuit television, and the implementation of proximity card readers. A procedure has been documented for physically accessing the ICDC that includes signing the access log book and swiping the card reader.
Access log book procedures require CIO personnel to reference a Product Change Record (PCR) each time they enter the Data Centre. The procedures require that other building personnel (i.e. IC Facilities Management, building management) stipulate a reason for their visit.
A review of the access log book by the audit team indicated that procedures for CIO personnel were not always followed — PCRs are not always referenced and PCRs are sometimes referenced after their stop dates.
Card reader access rights to the data centre are managed by both CIO and Facilities Management. The audit team reviewed a non-statistical sample of individuals assigned access rights to the C.D. Howe (East Tower) Mezzanine Level Main Entrance of the ICDC, and found that rights were assigned to the access cards of three individuals who had left the Department, two of whose cards were still active at the time of the audit.
Industry best practices stipulate that access rights to IT resources should be on a need-to-know basis where there is a legitimate business requirement. As well, access rights should be maintained (and updated periodically) to reflect the current business requirements of personnel whose roles and responsibilities have changed.
Although the data centre is protected by numerous access controls, the effectiveness of these controls depends on their faithful execution. Effective access control is necessary to maintain the data centre's Protected B certification, to protect IT assets and to ensure continuity of availability of IT services.
It is recommended that the CIO ensure that the sign-in log book is reviewed periodically and that the importance of proper completion of the log book be underscored by:
- Contacting individuals who did not properly complete log entries; and
- Reminding all ICDC clients of the procedure to be followed when accessing the data centre.
It is recommended that the CIO, in conjunction with Facilities Management, ensure access rights are reviewed immediately, and periodically confirm that all individuals with card access rights to the various ICDC card readers have a current requirement for such access.
Finding 3.0: Server Evergreening
Servers acquired in 2005–2007 through a one-time investment will require a replacement strategy in 2011–2012.
Managing the IT infrastructure asset inventory through a life-cycle approach responds to the need to replace and upgrade an asset ("evergreening"), make changes to an asset and meet the requirements of new initiatives.
According to the 2010–2011 CIO Business Plan, "Evergreening Industry Canada's IT infrastructure remains a challenge. Each year the CIO reviews equipment that has reached end of life and plans its replacement based on criticality of the system, risks, business priorities, and funds available. The assets include telecommunications equipment, servers, data storage systems, and related equipment. The CIO received major investment funds from the Department in 2005–06 and 2006–07 through the Department's long-term capital plan....IT infrastructure investments made at that time are now reaching end of life and are in need of replacement."
A December 2009 inventory of servers provides evidence of evergreening — a high percentage of DCM servers (87%) are 4 years old or less, a result of significant investments in 2005–2007. These assets typically have a life span of 5 years1 and best practices dictate that investments be made every year. However, the server inventory also indicates that approximately 32% of these servers are three years old and 25% are four years old; they will require replacement in the coming year (2011–2012).
In 2008, the CIO formulated a replacement strategy for its infrastructure as a means of maintaining IT assets year over year. This strategy was never formally presented to Senior Management.
The CIO is currently focusing on software and infrastructure rust out, to support TBS's follow-up work from the spring 2010 report of the Auditor General (AG) on Aging IT Systems. As the AG report stated, "Without sufficient and timely investments to modernize or replace aging systems, the ability of departments and agencies to serve Canadians is at risk."
If the servers, storage and other IT assets in the ICDC are not life-cycle managed, there is an increased risk of service interruption to Departmental clients and the public, with a resulting loss of productivity and/or reputation. Furthermore, the delay of evergreening investments could result in the need for much more significant investment in server/storage replacement at a future date.
It is recommended that the CIO finalize and implement a replacement strategy for servers acquired in 2005–2007 in support of the Department's evergreening initiative.
Finding 4.0: Facilities Maintenance Agreements Documentation
DCM does not have confirmation that a formal Uninterrupted Power Supply Maintenance Agreement is in place.
The ICDC is housed on the mezzanine level of the east tower of the C.D. Howe Building. The C.D. Howe Building has been managed since April 1, 2005 by SNC-Lavalin O&M on behalf of Public Works and Government Services Canada (PWGSC).
Some Data Centre maintenance services are provided through Facilities Management (within the Comptrollership and Administration Sector), which interacts with PWGSC and SNC-Lavalin to engage contractors to perform necessary maintenance on important environmental and support equipment (e.g. air conditioners and Uninterrupted Power Supply (UPS)). This equipment is required to ensure the ongoing integrity and availability of the ICDC.
Requirements are provided by DCM to Facilities Management, which asks PWGSC to put in place a maintenance contract. PWGSC, in turn, sends the request to SNC-Lavalin, which in turn requests and evaluates proposals from suppliers and enters into a contract for the required maintenance service.
DCM, however, had not received any confirmation that a maintenance contract had been let for the maintenance of ICDC's UPS at the time of the audit. Without such confirmation, the Director of the DCM Directorate has no formal assurance that the required maintenance contract has been put in place.
It is recommended that the Director, DCM Directorate, in conjunction with Facilities Management, ensure that contract confirmation is received, providing assurance that ICDC facilities-related maintenance contracts are in place, prior to the cessation of the existing contracts.
1Asset Life Cycle Management Tools and Processes, Gartner Research Article: ID Number G00153023, 12 December 2007 (Return to reference 1)
- Date modified: