How do I conduct an effective data center audit?
April 30, 2013 3:34 PM Subscribe
I am going to be conducting a data center audit for a company in a colo facility. I need to talk to someone who has either done an audit or works in data center operations about my audit plan to make sure that I am not missing critical parts. Please help if you can.
Response by poster: Yeah, I have the SSAE 16 but that tells me the controls the provider has in place. My function is within the Internal Audit function of a customer. I still have to review the End User Controls considerations. I also feel SSAE 16 narrowly focuses on basic physical security controls and environmental controls. I guess I am trying to figure out if there is something I can do that goes beyond what the SSAE 16 looks at. In my case, I am looking at management oversight of data center ops, physical security, SLA management, environmental controls, and NOC operations.
posted by RedShrek at 3:45 PM on April 30, 2013
posted by RedShrek at 3:45 PM on April 30, 2013
Read through the list of FedRAMP controls. (Should be available on fedramp.gov)
These cover the compliance controls required for CSPs to do business with govt agencies. As someone who has driven audits with both FedRAMP and SSAE16, FedRAMP is far more rigorous in terms of virtual access control etc.
posted by badgerbadgerbadger at 6:10 PM on April 30, 2013
These cover the compliance controls required for CSPs to do business with govt agencies. As someone who has driven audits with both FedRAMP and SSAE16, FedRAMP is far more rigorous in terms of virtual access control etc.
posted by badgerbadgerbadger at 6:10 PM on April 30, 2013
Response by poster: Thanks! I will look at it for clues but my client is a commercial entity.
posted by RedShrek at 9:04 PM on April 30, 2013
posted by RedShrek at 9:04 PM on April 30, 2013
You don't say whether you are willing to pay for the information, but have you checked out the ISACA website? I think their IS audit and assurance frameworks might be helpful.
posted by Revie1 at 4:28 AM on May 1, 2013
posted by Revie1 at 4:28 AM on May 1, 2013
Best answer: >FedRAMP controls
Fedramp uses NIST 800.53 controls so that may be more helpful to google. The rev4 edition of 800.53 (just came out in final this week) also has enhanced controls for management, privacy and cloud services so make sure you're not looking at older versions.
>I am trying to figure out if there is something I can do that goes beyond what the SSAE 16 looks at.
Yes, you can always add more controls or tighten existing controls and remain in compliance with the standard. The controls listed are the minimum required to meet compliance. You can and should adjust them to your biz needs. If you're looking for ideas on more enhanced controls, look at the NIST 800.53r4 for MODERATE or HIGH impact systems.
posted by anti social order at 11:48 AM on May 1, 2013
Fedramp uses NIST 800.53 controls so that may be more helpful to google. The rev4 edition of 800.53 (just came out in final this week) also has enhanced controls for management, privacy and cloud services so make sure you're not looking at older versions.
>I am trying to figure out if there is something I can do that goes beyond what the SSAE 16 looks at.
Yes, you can always add more controls or tighten existing controls and remain in compliance with the standard. The controls listed are the minimum required to meet compliance. You can and should adjust them to your biz needs. If you're looking for ideas on more enhanced controls, look at the NIST 800.53r4 for MODERATE or HIGH impact systems.
posted by anti social order at 11:48 AM on May 1, 2013
Response by poster: Thanks to everyone that contributed. I took parts of the NIST guidance and mixed it up with some other stuff and it worked out just fine. Thanks all.
posted by RedShrek at 1:12 PM on June 1, 2013
posted by RedShrek at 1:12 PM on June 1, 2013
« Older Quitting on ethical grounds, for selfish reasons | Did I box myself in with a low salary? Newer »
This thread is closed to new comments.
posted by chesty_a_arthur at 3:41 PM on April 30, 2013