Auditing Data Centers

Checklist for Auditing Data Centers

  1. Review data center exterior lighting, building orientation, signage, fences, and neighborhood characteristics to identify facility-related risks.
  2. Research the data center location for environmental hazards and to determine the distance to emergency services.
  3. Review data center doors and walls to determine whether they protect data center facilities adequately.
  4. Evaluate physical authentication devices to determine whether they are appropriate and are working properly.
  5. Ensure that physical access control procedures are comprehensive and being followed by data center and security staff.
  6. Ensure that intrusion alarms and surveillance systems are protecting the data center from physical intrusion.
  7. Review security guard building round logs and other documentation to evaluate the effectiveness of the security personnel function.
  8. Verify that sensitive areas within the data center are secured adequately. Ensure that all computer processing equipment essential to data center operations (such as hardware systems, power supply breakers, and so on) is located within the computer processing room or in a secure area
  9. Verify that heating, ventilation, and air-conditioning (HVAC) systems maintain constant temperatures within the data center.
  10. Ensure that a water alarm system is configured to detect water in high-risk areas of the data center.
  11. Determine whether the data center has redundant power feeds.
  12. Verify that ground-to-earth exists to protect computer systems.
  13. Ensure that power is conditioned to prevent data loss.
  14. Verify that battery backup systems are providing continuous power during momentary black-outs and brown-outs.
  15. Ensure that generators protect against prolonged power loss and are in good working condition.
  16. Evaluate the usage and protection of emergency power-off (EPO) switches.
  17. Ensure that data center building construction incorporates appropriate fire suppression features.
  18. Ensure that data center personnel are trained in hazardous materials (hazmat) handling and storage and that hazmat procedures are appropriate. Also determine whether data center personnel are trained in how to respond to a fire emergency.
  19. Verify that fire extinguishers are strategically placed throughout the data center and are maintained properly.
  20. Ensure that fire suppression systems are protecting the data center from fire.
  21. Verify that fire alarms are in place to protect the data center from the risk of fire.
  22. Review the alarm monitoring console(s), reports, and procedures to verify that alarms are monitored continually by data center personnel.
  23. Verify that network, operating system, and application monitoring provides adequate information to identify potential problems for systems located in the data center.
  24. Ensure that roles and responsibilities of data center personnel are clearly defined.
  25. Verify that duties and job functions of data center personnel are segregated appropriately.
  26. Ensure that emergency response procedures address reasonably anticipated threats.
  27. Verify that data center facility-based systems and equipment are maintained properly.
  28. Ensure that data center personnel are trained properly to perform their job functions.
  29. Ensure that data center capacity is planned to avoid unnecessary outages.
  30. Verify that procedures are present to ensure secure storage and disposal of electronic media.
  31. Review and evaluate asset management for data center equipment.
  32. Ensure that hardware redundancy (redundancy of components within a system) is used to provide high availability where required.
  33. Verify that duplicate systems are used where very high system availability is required.
  34. Ensure that backup procedures and capacity are appropriate for respective systems
  35. Verify that systems can be restored from backup media.
  36. Ensure that backup media can be retrieved promptly from off-site storage facilities.
  37. Ensure that a disaster recovery plan (DRP) exists and is comprehensive and that key employees are aware of their roles in the event of a disaster.
  38. Ensure that disaster recovery plans are updated and tested regularly.
  39. Verify that parts inventories and vendor agreements are accurate and current.
  40. Ensure that emergency operations plans address various disaster scenarios adequately