Scope Area

Risk Name
Key Controls
A. Policies &
Procedures Risk
Key Controls:
1. Formal policies and procedures exist for all relevant aspects of the
department.
2. The policies and procedures are reviewed annually.

B. Human Resources
Risk
Key Controls:
1. Formal policies and practices designed to enhance recruiting and
development activities.
2. Formal succession planning process is in place.
3. Formal JDs exist
4. Formal job rotation program to help ensure sufficient cross training of
personnel.
5. Training of new employees is formalized

C. Change Control
Risk
Key Controls:
1. A formal change management process exists to request, approve, test, and
implement changes in the datacenter.
2. A test environment exists.

D. Monitoring Risk Key Controls:
1. Existence of monitoring applications, servers, and infrastructure.
2. Procedures outlining who should review reports generated from monitoring
applications, servers, and infrastructure.
3. When issues arise during monitoring, a protocol exists to troubleshoot and
resolve problems.

E. Backup and
Recovery Risk
Key Controls:
1. Formal backup and recovery procedures
2. Frequent tests of backup medium
3. Regular and scheduled backup
4. Documentation outlining the status of backup
5. Monitoring of backup and recovery processes (applicable, if not covered by
monitoring section)

F. Environmental
Controls Risk
Key Controls:
1. Regular testing of controls based on company's required environmental
controls.
2. Maintenance plans are implemented and conducted for HVAC and fire
suppression systems

G. Physical Security
Risk
Key Controls:
1. Access security cards and keypad combinations are restricted to department
personnel.
Scope Area
Risk Name
Key Controls
2. Periodic review of access to key areas or who has access to combinations or
key for key areas.
3. Keys to sensitive areas are obtained from individuals who no longer need
access.
4. All personnel, contractors, and third parties who require access to key IT
processing areas are approved by appropriate levels of management.

H. Infrastructure Risk Key Controls:
1. Battery backup or UPS equipment is checked periodically to ensure it has
adequate capacity and tested according to manufacturer specifications.
2. Hardware is installed per manufacturer recommendations.
3. Power and cabling are appropriately installed and managed

I. Asset Management
Risk
Key Controls:
1. Documented procurement procedures exist.
2. Proper authorization is required for acquiring, changing, or removing assets.
3. Documented maintenance procedures exist for assets.
4. Adequate insurance policies are in place for assets under data center control.

J. Vendor
Contract/Performa
nce Risk
Key Controls:
1. Management Sign Off
2. Contract and SLA for all vendors
3. Formal process to monitor whether vendors are consistently complying with
performance expectations.
4. Clear clauses in the contract or SLA that address performance expectations

K. Incident and
Problem
Management Risk
Key Controls:
1. Formal incident management process
2. Generation of incident management reports
3. Review of incident management reports by management
L. Performance
Measurement
Key Controls:
1. Service level agreements exist and are periodically reviewed by management.
2. Management measures SLA's and takes appropriate action when necessary.

M. Telecommunication
s Risk
Key Controls:
1. A suitable telecom infrastructure is in place to ensure that single points of
failure are avoided.
2. Proper fail over procedures are documented to ensure fall back or fail over
processes are implemented.