A Standard Checklist for Data Center and Audits and Reports
Before taking a closer look at specialized data center audits and reports, it may help to understand what happens in a more generalized data center. However, not everything is cut and dried in these centers either. Running and managing such a center may still require several different types of audits. Here are just a few of the possible audits an IT leader may need to perform in the average data center:
- Quality control
- Security procedures
- Energy efficiency
- Need for facility expansion
- Benchmark determinations for the facility
It is important that audits like these and others that are necessary for the data center are performed at least once annually to allow everyone to see all that the company is doing everything correctly. Alternately, such an audit can also help shed light on any pain points the organization and its employees may be experiencing.
The Information Technology Infrastructure Library (ITIL) offers a set of best practices for IT service management that provides checklists for various aspects of management and service development.
The main type of audit and reporting procedure that data centers face comes involves the ISO 27000 series, set forth by the International Organization for Standardization/International Electrotechnical Commission, which provides a set of standards outlining how data centers should use information security systems. ISO 27000 offers such information regarding security, which includes standards, policies, procedures and directives.
It is important that data centers outsource their audits via the ISO 27001 audit, which helps to eliminate employee bias and other organizational biases.
A checklist for an ISO 27001 audit will look similar to this:
- Installation and operation of hardware and software
- Equipment maintenance
- Continuous performance monitoring
- Operational monitoring
- Software management and recovery procedures
Specialized Data Center Audit and Report Cheat Sheets for Unique Industries and Their Unique Set of Standards
With a general idea of what data center audits and reports are and require, let’s take a look at some different industries and what they require for information security, regulatory compliance and more.
The Health Insurance Portability and Accountability Act (HIPAA) of 1996, mandated by the U.S. Health and Human Services Department, was enacted to specify laws to secure protected health information (PHI) and patient health data, which is also known as medical records.
HIPAA compliance is mandatory for healthcare organizations and vendors like data centers. Hosting providers must meet HIPAA compliance requirements to protect confidential data that comes under their care. An independent auditor can help determine whether the data center is following the proper policies and procedures set forth to provide HIPAA-compliant hosting solutions.
The Payment Card Industry Data Security Standard (PCI DSS) was created by the PCI Security Standards Council (SSC), made up of a collective of major credit card issuers, and is applicable for companies that accept, store, process and transmit credit cardholder data. While not federally regulated, it is still important for data center operators to prove that they run a PCI compliant facility with the report derived from an independent audit.
Outsourcing services to external companies has become a commonplace practice in today’s business landscape. These service organizations’ internal controls must be aligned with the client organization’s internal controls to ensure data security. A System and Organization Controls (SOC) 1 report, developed by the AICPA, measures the controls of the data center related to financial reporting matters.
The SOC 2 audit and report are completely different from SOC 1 since SOC 2 measures controls directly related to IT and data center service providers. The selected independent SOC 2 independent auditor applies any of the five relevant controls to the process. These controls are security, availability, processing integrity, confidentiality and privacy. Further, there are types of SOC 2 audits:
- Type 1. A review of the data center’s system and suitability of its design of controls.
- Type 2. A review that covers everything in Type 1 while adding the verification of an auditor’s opinion about the operating effectiveness of controls.
To finish out the SOC suite, the SOC 3 report includes the auditor’s opinion of the SOC 2 components and further includes a seal of approval that clients can post on websites and other documents to show their customers their commitment to data security.
Do You Know Which Audits and Reports Your Data Center Needs to Perform?
Depending on your client base, you may need to perform only the most basic audits for your data center, such as the ISO 27001, or you may need to perform several for multiple purposes. Have you done an inventory to determine which audits and reports you are obligated to perform and provide, such as a PCI DSS, SOC 1 or SOC 2?
If you have a huge client roster and need help, our team at I.S. Partners, LLC. is here to answer your questions and help you get started. We will help you determine which audits you need to perform and how you should approach each one.