Reporter 7: CHAPTER 2 - Auditing IT Governance Controls

Genesis Amor C. Alforque

Ateneo de Davao University
It 3

Assignment:
 What are the types of fire extinguishers? Which one is applicable to a computer center?
1. Water extinguishers - (not pictured and not found in laboratories) are suitable for class A
(paper, wood etc.) fires, but not for class B, C and D fires such as burning liquids, electrical
fires or reactive metal fires. In these cases, the flames will be spread or the hazard made
greater! Water mist extinguishers are suitable for class A and C; see below. Water
extinguishers are effective on pool chemicals provided that they are correctly stored away
from electrical hazards and equipment; see the blue box below for more on pool chemicals.
2. Dry chemical extinguishers - are useful for either class ABC or class BC fires (check the label)
and are your best all around choice for common fire situations. They have an advantage over
CO2and "clean agent" extinguishers in that they leave a blanket of non-flammable material
on the extinguished material which reduces the likelihood of reignition. They also make a
terrible mess - but if the choice is a fire or a mess, take the mess! Note that there are two
kinds of dry chemical extinguishers:
A. Type BC fire extinguishers contain sodium or potassium bicarbonate.
B. Type ABC fire extinguishers contain ammonium phosphate.
3. CO2 (carbon dioxide) extinguishers - are for class B and C fires. They don't work very well on
class A fires because the material usually reignites. CO2 extinguishers have an advantage
over dry chemical in that they leave behind no harmful residue. That makes carbon dioxide a
good choice for an electrical fire involving a computer or other delicate instrument. Note that
CO2 is a bad choice for a flammable metal fires such as Grignard reagents, alkyllithiums and
sodium metal because CO2 reacts with these materials. CO2 extinguishers are not approved
for class D fires!
4. Metal/Sand Extinguishers - are for flammable metals (class D fires) and work by simply
smothering the fire. The most common extinguishing agent in this class is sodium chloride,
but there are a variety of other options. You should have an approved class D unit if you are
working with flammable metals.

Therefore, CO2 Extinguishers are most appropriate for computer centers.

 What are the different types of fire detection equipment? What are the different types of fire
suppression equipment?
Types of fire detection equipment:
1. Heat detectors - These devices are typically found in spots with fixed temperature, including
heater closets, small rooms, and kitchen facilities. They should not be installed in areas with
fluctuating ambient temperature. This is because the alarm on heat detectors is set to go off
if there is a rise in the temperature.
2. Flame detectors - Like their name suggests, these detectors are used to detect flames. When
working properly, they detect fire nearly at the point of ignition. They are very useful for
buildings involving with hazardous processes, as well as gas and oil refineries and
manufacturing industries
3. Smoke detectors - are designed to detect fires quickly.

Types of suppression equipment:

1. Fire Extinguishers
 2. Fire Hoses
3. Fire Buckets
4. Flamezorb

 Group activity: Look for an establishment that has a computer center. Assess this computer
center using the 1) 2 controls of the physical location of the computer center and 2) 5 major
features of an effective fire suppression system. Make your opinion on your findings. Submit
your assessments and findings next week, Monday (MWF class) or Tuesday (TTH class).

Guide Questions:
1) What are the 6 areas of potential exposure on the physical environment of the computer
center?
The 6 areas of potential exposure on the physical environment of the computer center are
physical location, construction, access, air conditioning, fire suppression, and fault tolerance.

2) What are the 2 controls of the physical location of the computer center? What are the 2 risks if
the controls are not properly implemented?
The 2 controls of the physical location of the computer center are (1) the auditor should assess
the physical location of the computer center and (2) the facility should be located in an area that
minimizes its exposure to fire, civil unrest, and other hazards. The 2 risks of the physical location
of the computer center are destruction to a natural and man-made disasters.

3) What are the 5 control system of the construction of the computer center?
The 5 control systems are first, the computer center should be located in a single-story building
of solid construction. Second, it should have a controlled access. Third, utility lines should be
underground. Fourth, the building windows should not open and lastly, an air filtration system
should be in place that is capable of extracting pollens, dust, and dust mites.

4) What are the 5 access controls for the computer center?

The 5 access controls for the computer center are (1) Physical controls, such as locked doors,
should be employed to limit access to the center. (2) Access should be controlled by a keypad or
swipe card, though fire exits with alarms are necessary. To achieve a higher level of security, (3)
access should be monitored by closed-circuit cameras and video recording systems. (4)
Computer centers should also use sign-in logs for programmers and analysts who need access to
correct program errors. (5) The computer center should maintain accurate records of all such
traffic.

5) Why is an air conditioning unit needed to be installed in a computer center?

Air conditioning unit is needed to be installed in a computer center because it has been proven
that computers function best in an air-conditioned environment. Computers operate best in a
temperature range of 70 to 75 degrees Fahrenheit and a relative humidity of 50 percent.

6) What are the 2 factors to consider in operating the air conditioning units for the computer
center? What are the 2 risks if not properly implemented?
The 2 factors to consider in operating the air conditioning units for the computer center are the
temperature and the humidity. The 2 risks if these are not properly implemented are (1) Logic
errors can occur in computer hardware when temperatures depart significantly from this
optimal range and (2) the risk of circuit damage from static electricity is increased when
 humidity drops. In contrast, high humidity can cause molds to grow and paper products (such as
source documents) to swell and jam equipment.

7) Why does fire considered the most serious threat to a firm’s computer equipment?

Fire is the most serious threat to a firm’s computer equipment. Many companies that suffer
computer center fires go out of business because of the loss of critical records, such as accounts
receivable.

8) What are the 5 major features of an effective fire suppression system?

1. Automatic and manual alarms should be placed in strategic locations around the installation.
These alarms should be connected to permanently staffed fire-fighting stations.
2. There must be an automatic fire extinguishing system that dispenses the appropriate type of
suppressant for the location.
3. Manual fire extinguishers should be placed at strategic locations.
4. The building should be of sound construction to withstand water damage caused by fire
suppression equipment.
5. Fire exits should be clearly marked and illuminated during a fire.

9) What is fault tolerance? What is the effect if there’s no fault tolerance technology installed in
a computer center?

Fault tolerance is the ability of the system to continue operation when part of the system fails
because of hardware failure, application program error, or operator error. Implementing fault
tolerance control ensures that no single point of potential system failure exists. Total failure can
occur only if multiple components fail.

10) In which events are the 2 fault tolerance technologies used for? What problems are prevented
by these technologies?

1. Redundant arrays of independent disks (RAID). Raid involves using parallel disks that
contain redundant elements of data and applications. If one disk fails, the lost data are
automatically reconstructed from the redundant components stored on the other disks.
2. Uninterruptible power supplies. The equipment used to control these problems (total
power failures, brownouts, power fluctuations, and frequency variations) includes voltage
regulators, surge protectors, generators, and backup batteries. In the event of a power
outage, these devices provide backup power for a reasonable period to allow commercial
power service restoration. In the event of an extended power outage, the backup power will
allow the computer system to shut down in a controlled manner and prevent data loss and
corruption that would otherwise result from an uncontrolled system crash.

11) What are the 2 items that are the focused of the audit objectives pertaining to computer
center security? What is the audit objective for each item?

1. Physical security controls – that they are reasonably adequate to protect the organization
from physical exposures
2. Insurance coverage on equipment – that they are adequate to compensate the organization
for the destruction of, or damage to, its computer center

12) What are the 6 physical security controls to be tested?

 1. Tests of Physical Construction
2. Tests of Fire Detection System
3. Tests of Access Control
4. Tests of Raid
5. Tests of Uninterruptible Power Supply
6. Tests for Insurance Coverage

13) What are the 2 items to be used as basis of testing the control for physical construction? Name
3 criteria to be used to test these 2 items.

a. Architectural Plans – built of fire proof material, there should be adequate drainage,
b. Physical location of the computer center

The criteria to be used to test these two items are: the computer center should be solidly
built of fireproof material, there should be adequate drainage under the raised floor to allow
water to flow away in the event of water damage from a fire and it should be located in an
area that minimizes its exposure to fire, civil unrest and hazards.

14) What are the 2 equipment to be the subject for testing of fire detection system? Name the
criterion to be used to test the fire detection system. Name the way the auditor can obtain the
evidence that the criterion is being implemented.

a. Manual and automatic fire detection equipment

b. Manual and automatic fire suppression equipment
The fire detection system should detect smoke, heat and combustible fumes.
Evidence may be obtained by reviewing official fire marshal records of tests, which are stored at the
computer center.

15) Name the criterion to be used to test the access control in the computer center. Name 3 ways
the auditor can obtain evidence that the criterion is being implemented?

The criterion to be used to test the access controls is to establish that routine access to the
computer center is restricted to authorized employees. The auditor can obtain evidence that the
criterion is being implemented through reviewing the access log, observing the process by which
access is permitted, review videotapes from cameras at the access point.

16) Name the criterion to be used to test RAID installed in the computer center. Name 2 ways the
auditor can obtain evidence that the criterion is being implemented?

The RAID can be tested by reviewing the graphical mapping of their redundant disk storage. The
auditor should determine if the level of RAID in place is adequate for the organization, given the
level of business risk associated with disk failure.

17) Name the criterion to be used to test UPS installed in the computer center. Name the way the
auditor can obtain evidence that the criterion is being implemented.

The computer center should perform periodic tests of the backup power supply to ensure that it
has sufficient capacity to run the computer and air conditioning. The auditor can obtain evidence
by reviewing the record of the result of its periodic tests.
18) Name 2 criteria to be used to test insurance coverage on its computer hardware and physical
facility. Name the way the auditor can obtain evidence that the criteria are being
implemented?

The auditor should verify that all new acquisitions are listed on the policy and that obsolete
equipment and software have been deleted. The auditor can obtain evidence by reviewing the
insurance policy. The insurance policy should reflect management’s needs in terms of coverage.