Off-Site Data Storage Audit Number 09-07 June 9, 2009



Similar documents
Eugene Smith Executive Director of Athletics Department of Intercollegiate Athletics Arizona State University Box Tempe, AZ

COMPUTER OPERATIONS - BACKUP AND RESTORATION

ACTION ITEM: Approval of the W.P. Carey School of Business Online MBA Program Outsourcing Project - ASU

Auditing in an Automated Environment: Appendix C: Computer Operations

A U D I T R E P O R T. Audit of Child Support Contract CD336

MANAGEMENT AUDIT REPORT DISASTER RECOVERY PLAN DEPARTMENT OF FINANCE AND ADMINISTRATIVE SERVICES INFORMATION TECHNOLOGY SERVICES DIVISION

Procure to Pay Process Audit

Memorandum. ACTION: Report on Computer Security Controls of Financial Management System, FTA FE May 23, 2000.

TAMPA POLICE DEPARTMENT SUPPORT SERVICES DIVISION DEALERSHIP MAINTENANCE PROGRAM AUDIT AUGUST 24, 2015

OutlookSoft Budget & Planning Software (Business Performance Management System)

That the Board of Regents approve ASU upgrading its current Avaya Definity PBX System.

ARIZONA BOARD OF REGENTS 2020 N. Central Avenue, Ste. 230 Phoenix, Arizona. Wednesday, January 20, :00 11:30 a.m.

COMPUTER OPERATIONS AUDIT

The Navajo Nation. A Foliow-Up Review. Department of Information Technology. Corrective Action Plan Implementation. Report No

OFFICE OF THE STATE AUDITOR TWO COMMODORE PLAZA 206 EAST NINTH STREET, SUITE 1900 LAWRENCE F. ALWIN, CPA

911 Data Center Operations Performance Audit

INTERNAL AUDIT DIVISION CLERK OF THE CIRCUIT COURT

PRESENTATION OF INTERNAL AUDIT SERVICES DAVIS CAMPUS. Rick Catalano Director, Internal Audit Services January 2009

Accounts Payable Audit

Construction Project Management (e-builder) Audit October 2012

Audit of. District s Information Technology Disaster Recovery Plan

TECHNOLOGY AND INNOVATION DEPARTMENT BACKUP AND RECOVERY REVIEW AUDIT SEPTEMBER 23, 2014

Tailored Technologies LLC

STRATEGIC IT ACCOUNTABILITY BOARD AGENDA Wednesday, December 19, :00 3:00 p.m. STARK LIBRARY

Ms. Debbie Davenport Auditor General Office of the Auditor General 2910 North 44 th Street, Suite 410 Phoenix, Arizona Dear Ms.

Woodward County Emergency Medical Service District

OFFICE OF AUDITS & ADVISORY SERVICES ACCOUNTS PAYABLE VENDOR MASTER FILE AUDIT FINAL REPORT

Mecklenburg County Department of Internal Audit. Business Support Services Agency Fuelman Gas Card Investigation Follow-Up Audit Report 1467

Oregon Employment Department: Computer Programs for Unemployment Tax Returns and Claims Need Attention

PCI Compliance From an Internal Audit point of view

OFFICE OF THE STATE AUDITOR General Controls Review Questionnaire

FINAL AUDIT REPORT WITH RECOMENDATIONS Information Technology No

NEW YORK CITY HOUSING DEVELOPMENT CORPORATION PURCHASING PROCEDURES. Updated as of December 23, 2014

Southern Dallas County Fire Protection District

FLEET MANAGEMENT FOLLOW-UP. Audit Report No. FM December 21, 2009

AUDIT REPORT REPORT NUMBER Information Technology Professional Services Oracle Software March 25, 2014

Affiliation Agreement with Eller Executive Education

Austin Fire Department Worker Safety Audit

I. EXECUTIVE SUMMARY. Date: June 30, Sabina Sitaru, Chief Innovation Officer, Metro Hartford Innovation Services

Office of Inspector General

Audit, Finance and Legislative Committee Mayor Craig Lowe, Chair Mayor-Commissioner Pro Tem Thomas Hawkins, Member

ASSESSMENT REPORT GPO WORKERS COMPENSATION PROGRAM. September 30, 2009

Audit of System Backup and Recovery Controls for the City of Milwaukee Datacenters MARTIN MATSON City Comptroller

OFFICE OF AUDITS & ADVISORY SERVICES SUNGARD TREASURY MANAGEMENT SYSTEM CONTRACT COMPLIANCE FINAL AUDIT REPORT

IDAHO DIVISION OF VOCATIONAL REHABILITATION

Research Administration at the University of Maryland

Police Records Management System IT General Controls Follow up Report

San Francisco Chapter. Information Systems Operations

August 18, Ms. Elsa Magee Acting President Higher Education Services Corporation 99 Washington Avenue Albany, New York 12255

Palomar Community College District Data Center Disaster Recovery Plan

DISASTER RECOVERY PLANNING FOR CITY COMPUTER FACILITIES

EQUIPMENT INVENTORY AUDIT MAY 21, INTERNAL AUDIT DEPARTMENT BOX ARLINGTON, TX

Transcription:

Audit Number 09-07 June 9, 2009 University Audit and Advisory Services

EXECUTIVE SUMMARY Objectives and Scope The objectives of the audit included reviewing compliance with the terms of off-site data storage vendor contracts and a determination of compliance with Arizona Board of Regents (ABOR) and ASU policies and procedures. Using ASU s financial system, the following were determined to be currently utilizing off-site storage services: The Biodesign Institute The Fulton School of Engineering The University Technology Office (UTO) The WP Carey School of Business The Hayden Library was utilizing offsite storage services until recently when the UTO began hosting their data and providing any needed back-ups. Representatives from each of the areas utilizing off-site storage services were interviewed. They provided detailed information on current back-up procedures and an assessment of their interactions with the off-site storage vendor. Tours were also provided of the ASU IT facilities housing the data prior to pick-up by the vendor. The WP Carey School of Business coordinates vendor pick-up times with the UTO to increase efficiency. The ASU Purchasing Department accessed a state contract to create a purchase order for the service of off-site data storage. State contracts are publicly competitively bid and therefore meet the same solicitation requirements ASU maintains. The vendor is held to the requirements of the original state contract. The scope of this audit focused on vouching the requirements of the underlying state contract to the ASU purchase order for secure off-site data storage. The rates charged on a sample of invoices were verified not to exceed the rates on the contract price sheet. The timing and sum of the payments paid to this vendor were reasonable. University Audit completed a site visit to verify the required security was being afforded to the media in the controlled storage area of the off-site storage vendor. The storage and transport containers were examined. The fire extinguishing system and the enclosed vehicles used to transport the media were observed. The CedarCrestone and ADOA data hosting were not included in the scope of this audit. Conclusion No exceptions to the terms of the off-site data storage vendor contract were found. The manner in which the off-site data storage vendor is being utilized is consistent with ABOR and ASU policies and procedures. i

July 15, 2009 Adrian Sannier University Technology Officer and Vice President University Technology Office Computing Commons 462 Tempe, AZ 85287 Dear Dr. Sannier: Attached is the audit of Information Technology, conducted in accordance with University Audit and Advisory Services revised annual audit plan for FY 2009. The objectives of the audit included reviewing compliance with the terms of data storage vendor contracts and a determination of compliance with Arizona Board of Regents (ABOR) and ASU policies and procedures. The scope of this audit focused on vouching the requirements of the underlying state contract to the ASU purchase order for secure off-site data storage to the service provided. The CedarCrestone and ADOA data hosting were not included in the scope of this audit. We appreciate the cooperation and courtesy extended to our auditors during the review. Please contact me at (480) 965-5511 if I can answer questions or provide additional information. Sincerely, Tracy Grunig, CPA, CFE, MPA Director, University Audit and Advisory Services c: Arizona Board of Regents Audit Committee Michael Crow, President, Arizona State University Elizabeth Capaldi, Executive Vice President and Provost Morgan Olsen, Executive Vice President, Treasurer and CFO José A. Cárdenas, Senior Vice President and General Counsel James O Brien, Vice President and Chief of Staff, Office of the President Gerald Snyder, Senior Associate Vice President of Finance and Deputy Treasurer Bob Nelson, Associate Vice President, University Technology Office Terry Hinton, Director, Information Technology Services, Operations Data Center Shawn Bryan, Director, Information Technology Services, Operations Applications Support Kelly Briner, Director, EDS Business Intelligence (Audit Liaison)

TABLE OF CONTENTS INTRODUCTION... 1 OBJECTIVE, SCOPE AND METHODOLOGY... 2 CONCLUSION... 3 AUDITOR... 3

INTRODUCTION The University Technology Office (UTO) utilizes the One University in Many Places aspect of ASU to help ensure the integrity of the University s electronic data and to increase system availability through storing redundant data in multiple locations. Several locations on the over 1500 acres of the four main campuses are utilized for this purpose. Off-site secure storage and hosting are also utilized. UTO manages several electronic data systems. Back-up strategies are uniquely designed for each system based on security and accessibility requirements that dictate: The predetermined duration of time that will elapse between creations of duplicate data. o Back-ups are performed on scheduled rotations. Data is duplicated after a predetermined duration of time elapses. Risk of loss decreases and cost increases at rates unique to each system as the predetermined length of time is decreased. The geographic location the duplicate data will be stored. o The distance between copies of redundant data is inversely related to the risk of loss. The media type and connectivity used to store the duplicate data. o Media types and connectivity vary widely in price, performance and durability. The duration of time duplicate data will be retained. o The duplicate data should have the same life-span of the original data. The most current systems use a process of data mirroring. Data is mirrored, or copied real-time, between drives at separate locations. If the system providing service becomes unavailable, the system with the redundant data is utilized until the original system is brought back on-line. UTO attempts to maximize distance between mirrored systems to help prevent both systems from being brought down at the same time. Distances between mirrored systems range from adjacent to over 20 miles apart. Mirrored systems are connected through dedicated fiber-optic lines. Magnetic tape is currently used to back-up data both on and off-site. The off-site magnetic tape data storage, which is the focus of this audit, has been significantly scaled down. The majority of the tapes sent off-site were being created by the Advantage financial system. This main-frame system has been relocated to the Arizona Department of Administration (ADOA) for hosting beginning in May of 2009. The responsibility of the ADOA to host the financial data is similar to CedarCrestone s responsibility to host the PeopleSoft data. 1

OBJECTIVE, SCOPE AND METHODOLOGY The objectives of the audit included reviewing compliance with the terms of off-site data storage vendor contracts and a determination of compliance with Arizona Board of Regents (ABOR) and ASU policies and procedures. Using ASU s financial system, the following were determined to be currently utilizing off-site storage services: The Biodesign Institute The Fulton School of Engineering The University Technology Office (UTO) The WP Carey School of Business The Hayden Library was utilizing off-site storage services until recently when the UTO began hosting their data and providing any needed back-ups. Representatives from each of the areas utilizing off-site storage services were interviewed. They provided detailed information on current back-up procedures and an assessment of their interactions with the off-site storage vendor. Tours were also provided of the ASU IT facilities housing the data prior to pick-up by the vendor. The WP Carey School of Business coordinates vendor pick-up times with the UTO to increase efficiency. The ASU Purchasing Department accessed a state contract to create a purchase order for the service of off-site data storage. State contracts are publicly competitively bid and therefore meet the same solicitation requirements ASU maintains. The vendor is held to the requirements of the original state contract. The scope of this audit focused on vouching the requirements of the underlying state contract to the ASU purchase order for secure off-site data storage. The rates charged on a sample of invoices were verified not to exceed the rates on the contract price sheet. The timing and sum of the payments paid to this vendor were reasonable. University Audit completed a site visit to verify the required security was being afforded to the media in the controlled storage area of the off-site storage vendor. The storage and transport containers were examined. The fire extinguishing system and the enclosed vehicles used to transport the media were observed. The CedarCrestone and ADOA data hosting were not included in the scope of this audit. 2

CONCLUSION No exceptions to the terms of the off-site data storage vendor contract were found. The manner in which the off-site data storage vendor is being utilized is consistent with ABOR and ASU policies and procedures. AUDITOR Lee T. Pettit, CPA, CISA 3

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information