Cobit5 Series : Data Center & DRC Checklist Template
Didalam Cobit5 Control Objectives for Information and Related Technology (COBIT) tujuan utamanya adalah membantu organisasi untuk membuat value yang optimal dari IT dengan cara me maintenance antara mengoptimalisasi penggunaan resource dan resiko.
Dan dalam aplikasinya COBIT5 dapatlah secara sederhana dikaitkan dengan proses audit dari IT itu sendiri, implementasi COBIT5 bisa dikatakan berbanding lurus dengan audit Informasi technology. Dalam pada itu banyak sekali template untuk audit tersebut, salah satunya adalah checklist template untuk data center, adapun contohnya adalah sebagai berikut :
| Checklist for Auditing Data Centers | ||
| Company | ||
| Date | ||
| No | Audit Question | Status |
| 1 | Review data center exterior lighting, building orientation, signage, and neighborhood characteristics to identify facility related risks. | |
| 2 | Research the data center location for environmental hazards and to determine the distance to emergency services. | |
| 3 | Review exterior doors and walls to determine if they protect data centers facilities adequately. | |
| 4 | Evaluate physical authentication devices to determine if they are appropriate for the manner in which they are being used and are working properly. | |
| 5 | Review security guard building rounds logs and other documentation to evaluate the effectiveness of the security personnel function. | |
| 6 | Verify that sensitive areas are secured adequately. | |
| 7 | Verify that heating, ventilation, and air-conditioning systems maintain constant temperatures within the data center. | |
| 8 | Evaluate the data center’s use of electronic shielding to verify that radio emissions do not affect computer systems or that system emissions cannot be used to gain unauthorized access to sensitive information. | |
| 9 | Determine whether the data center has redundant power feeds. | |
| 10 | Verify that ground to earth exists to protect computer systems. | |
| 11 | Ensure that power is conditioned to prevent data loss. | |
| 12 | Verify that battery backup systems are providing continuous power during momentary black-outs and brown-outs. | |
| 13 | Ensure that generators protect against prolonged power loss and are in good working condition. | |
| 14 | Ensure that a burglar alarm is protecting the data center from physical intrusion. | |
| 15 | Verify that a fire alarm is protecting the data center from the risk of fire. | |
| 16 | Ensure that a water alarm system is configured to detect water in high-risk areas of the data center. | |
| 17 | Ensure that a humidity alarm is configured to notify data center personnel of either high or low-humidity conditions. | |
| 18 | Review the alarm monitoring console(s) and alarm reports to verify that alarms are monitored continually by data center personnel. | |
| 19 | Ensure that data center building construction incorporates appropriate fire suppression features. | |
| 20 | Ensure that data center personnel are trained in hazardous materials handling and storage and that hazmat procedures are appropriate. | |
| 21 | Verify that fire extinguishers are placed every 50 ft within data center isles and are maintained properly. | |
| 22 | Ensure that fire suppression systems are protecting the data center from fire. | |
| 23 | Verify that surveillance systems are designed and operating properly. | |
| 24 | Ensure that physical access control procedures are comprehensive and being followed by security staff. | |
| 25 | Review facility monitoring procedures to ensure that alarm conditions are addressed promptly. | |
| 26 | Verify that network, operating system, and application monitoring procedures provide adequate information to identify potential problems. | |
| 27 | Ensure that roles and responsibilities of data center personnel are clearly defined. | |
| 28 | Verify that duties and job functions of data center personnel are segregated appropriately. | |
| 29 | Ensure that emergency response procedures address reasonably anticipated threats. | |
| 30 | Verify that data center facility-based systems and equipment are maintained properly. | |
| 31 | Ensure that data center personnel are trained properly to perform their job functions. | |
| 32 | Ensure that data center capacity is planned to avoid unnecessary outages. | |
| 33 | Verify that procedures are present to ensure secure storage and disposal of system media. | |
Sedangkan contoh untuk checklist Disaster Recovery Center adalah sebagai berikut :
| Disaster Recovery Plan Testing Templates and Checklist | |||||
| Conducting a recovery test | |||||
| Status | Notes | ||||
| No | Activity | Y | N | N/A | |
| 1 | Select the purpose of the test. What aspects of the plan are being evaluated? | ||||
| 2 | Describe the objectives of the test. How will you measure successful achievement of the objectives? | ||||
| 3 | Meet with management and explain the test and objectives. Gain their agreement and support. | ||||
| 4 | Have management announce the test and the expected completion time. | ||||
| 5 | Collect test results at the end of the test period. | ||||
| 6 | Evaluate results. Was recovery successful? Why or why not? | ||||
| 7 | Determine the implications of the test results. Does successful recovery in a simple case imply successful recovery for all critical jobs in the tolerable outage period? | ||||
| 8 | Make recommendations for changes. Call for responses by a given date. | ||||
| 9 | Notify other areas of results. Include users and auditors. | ||||
| 10 | Change the disaster recovery plan manual as necessary. | ||||
| Areas to be tested | |||||
| Status | Notes | ||||
| No | Activity | Y | N | N/A | |
| 1 | Recovery of individual application systems by using files and documentation stored off-site. | ||||
| 2 | Reloading of system tapes and performing an IPL by using files and documentation stored off-site. | ||||
| 3 | Ability to process on a different computer. | ||||
| 4 | Ability of management to determine priority of systems with limited processing. | ||||
| 5 | Ability to recover and process successfully without key people. | ||||
| 6 | Ability of the plan to clarify areas of responsibility and the chain of command. | ||||
| 7 | Effectiveness of security measures and security bypass procedures during the recovery period. | ||||
| 8 | Ability to accomplish emergency evacuation and basic first-aid responses. | ||||
| 9 | Ability of users of real-time systems to cope with a temporary loss of on-line information. | ||||
| 10 | Ability of users to continue day-to-day operations without applications or jobs that are considered noncritical. | ||||
| 11 | Ability to contact the key people or their designated alternates quickly. | ||||
| 12 | Ability of data entry personnel to provide the input to critical systems by using alternate sites and different input media. | ||||
| 13 | Availability of peripheral equipment and processing, such as printers and scanners. | ||||
| 14 | Availability of support equipment, such as air conditioners and dehumidifiers. | ||||
| 15 | Availability of support: supplies, transportation, communication. | ||||
| 16 | Distribution of output produced at the recovery site. | ||||
| 17 | Availability of important forms and paper stock. | ||||
| 18 | Ability to adapt plan to lesser disasters. | ||||
Demikian sharing saya untuk hari ini 🙂
Referensi :
http://en.wikipedia.org/wiki/COBIT
http://www.sox-online.com/cobit.html
