Off-Site Data Storage Audit Number June 9, 2009

Transcription

1 Audit Number June 9, 2009 University Audit and Advisory Services

2 EXECUTIVE SUMMARY Objectives and Scope The objectives of the audit included reviewing compliance with the terms of off-site data storage vendor contracts and a determination of compliance with Arizona Board of Regents (ABOR) and ASU policies and procedures. Using ASU s financial system, the following were determined to be currently utilizing off-site storage services: The Biodesign Institute The Fulton School of Engineering The University Technology Office (UTO) The WP Carey School of Business The Hayden Library was utilizing offsite storage services until recently when the UTO began hosting their data and providing any needed back-ups. Representatives from each of the areas utilizing off-site storage services were interviewed. They provided detailed information on current back-up procedures and an assessment of their interactions with the off-site storage vendor. Tours were also provided of the ASU IT facilities housing the data prior to pick-up by the vendor. The WP Carey School of Business coordinates vendor pick-up times with the UTO to increase efficiency. The ASU Purchasing Department accessed a state contract to create a purchase order for the service of off-site data storage. State contracts are publicly competitively bid and therefore meet the same solicitation requirements ASU maintains. The vendor is held to the requirements of the original state contract. The scope of this audit focused on vouching the requirements of the underlying state contract to the ASU purchase order for secure off-site data storage. The rates charged on a sample of invoices were verified not to exceed the rates on the contract price sheet. The timing and sum of the payments paid to this vendor were reasonable. University Audit completed a site visit to verify the required security was being afforded to the media in the controlled storage area of the off-site storage vendor. The storage and transport containers were examined. The fire extinguishing system and the enclosed vehicles used to transport the media were observed. The CedarCrestone and ADOA data hosting were not included in the scope of this audit. Conclusion No exceptions to the terms of the off-site data storage vendor contract were found. The manner in which the off-site data storage vendor is being utilized is consistent with ABOR and ASU policies and procedures. i

3 July 15, 2009 Adrian Sannier University Technology Officer and Vice President University Technology Office Computing Commons 462 Tempe, AZ Dear Dr. Sannier: Attached is the audit of Information Technology, conducted in accordance with University Audit and Advisory Services revised annual audit plan for FY The objectives of the audit included reviewing compliance with the terms of data storage vendor contracts and a determination of compliance with Arizona Board of Regents (ABOR) and ASU policies and procedures. The scope of this audit focused on vouching the requirements of the underlying state contract to the ASU purchase order for secure off-site data storage to the service provided. The CedarCrestone and ADOA data hosting were not included in the scope of this audit. We appreciate the cooperation and courtesy extended to our auditors during the review. Please contact me at (480) if I can answer questions or provide additional information. Sincerely, Tracy Grunig, CPA, CFE, MPA Director, University Audit and Advisory Services c: Arizona Board of Regents Audit Committee Michael Crow, President, Arizona State University Elizabeth Capaldi, Executive Vice President and Provost Morgan Olsen, Executive Vice President, Treasurer and CFO José A. Cárdenas, Senior Vice President and General Counsel James O Brien, Vice President and Chief of Staff, Office of the President Gerald Snyder, Senior Associate Vice President of Finance and Deputy Treasurer Bob Nelson, Associate Vice President, University Technology Office Terry Hinton, Director, Information Technology Services, Operations Data Center Shawn Bryan, Director, Information Technology Services, Operations Applications Support Kelly Briner, Director, EDS Business Intelligence (Audit Liaison)

4 TABLE OF CONTENTS INTRODUCTION... 1 OBJECTIVE, SCOPE AND METHODOLOGY... 2 CONCLUSION... 3 AUDITOR... 3

5 INTRODUCTION The University Technology Office (UTO) utilizes the One University in Many Places aspect of ASU to help ensure the integrity of the University s electronic data and to increase system availability through storing redundant data in multiple locations. Several locations on the over 1500 acres of the four main campuses are utilized for this purpose. Off-site secure storage and hosting are also utilized. UTO manages several electronic data systems. Back-up strategies are uniquely designed for each system based on security and accessibility requirements that dictate: The predetermined duration of time that will elapse between creations of duplicate data. o Back-ups are performed on scheduled rotations. Data is duplicated after a predetermined duration of time elapses. Risk of loss decreases and cost increases at rates unique to each system as the predetermined length of time is decreased. The geographic location the duplicate data will be stored. o The distance between copies of redundant data is inversely related to the risk of loss. The media type and connectivity used to store the duplicate data. o Media types and connectivity vary widely in price, performance and durability. The duration of time duplicate data will be retained. o The duplicate data should have the same life-span of the original data. The most current systems use a process of data mirroring. Data is mirrored, or copied real-time, between drives at separate locations. If the system providing service becomes unavailable, the system with the redundant data is utilized until the original system is brought back on-line. UTO attempts to maximize distance between mirrored systems to help prevent both systems from being brought down at the same time. Distances between mirrored systems range from adjacent to over 20 miles apart. Mirrored systems are connected through dedicated fiber-optic lines. Magnetic tape is currently used to back-up data both on and off-site. The off-site magnetic tape data storage, which is the focus of this audit, has been significantly scaled down. The majority of the tapes sent off-site were being created by the Advantage financial system. This main-frame system has been relocated to the Arizona Department of Administration (ADOA) for hosting beginning in May of The responsibility of the ADOA to host the financial data is similar to CedarCrestone s responsibility to host the PeopleSoft data. 1

6 OBJECTIVE, SCOPE AND METHODOLOGY The objectives of the audit included reviewing compliance with the terms of off-site data storage vendor contracts and a determination of compliance with Arizona Board of Regents (ABOR) and ASU policies and procedures. Using ASU s financial system, the following were determined to be currently utilizing off-site storage services: The Biodesign Institute The Fulton School of Engineering The University Technology Office (UTO) The WP Carey School of Business The Hayden Library was utilizing off-site storage services until recently when the UTO began hosting their data and providing any needed back-ups. Representatives from each of the areas utilizing off-site storage services were interviewed. They provided detailed information on current back-up procedures and an assessment of their interactions with the off-site storage vendor. Tours were also provided of the ASU IT facilities housing the data prior to pick-up by the vendor. The WP Carey School of Business coordinates vendor pick-up times with the UTO to increase efficiency. The ASU Purchasing Department accessed a state contract to create a purchase order for the service of off-site data storage. State contracts are publicly competitively bid and therefore meet the same solicitation requirements ASU maintains. The vendor is held to the requirements of the original state contract. The scope of this audit focused on vouching the requirements of the underlying state contract to the ASU purchase order for secure off-site data storage. The rates charged on a sample of invoices were verified not to exceed the rates on the contract price sheet. The timing and sum of the payments paid to this vendor were reasonable. University Audit completed a site visit to verify the required security was being afforded to the media in the controlled storage area of the off-site storage vendor. The storage and transport containers were examined. The fire extinguishing system and the enclosed vehicles used to transport the media were observed. The CedarCrestone and ADOA data hosting were not included in the scope of this audit. 2

7 CONCLUSION No exceptions to the terms of the off-site data storage vendor contract were found. The manner in which the off-site data storage vendor is being utilized is consistent with ABOR and ASU policies and procedures. AUDITOR Lee T. Pettit, CPA, CISA 3