System Audit Report: NCRA Data Centre Systems and Security.

Documents details: Audit report on Age, security, vulnerability, and risk issues
Author: Damilare Merotiwon. & Edemah John
Date: 14 July 2022.

EXECUTIVE SUMMARY:
1 .1 INTRODUCTION

As part of the 2022/23 Internal Audit of the 'Data centre operations and security were carried out.

The objective of this review is to evaluate the condition of the data centre and identify the needs to be corrected.

 Data centre policies and procedures are defined, documented, and communicated for all key functions,
 Systems are secured to prevent unauthorised access (including 3rd party access).
 Access to the data centre is monitored and reviewed, and access rights are periodically reviewed.
 Data centre has a duplicate site as site 2 for redundancy and disaster recovery.
 Servers, storage, switches, and laptops are patched, monitored, and upgraded to close vulnerabilities as identified by the OEM.
 Data transferred off site is secured at all times and appropriate controls are in place to monitor the location of the data.
 Environmental controls are present to protect the servers from fire, electrical and water damage. Floor is designed/raised to
manage cabling within the data centre.
 The current data centre design is inadequate and dangerous to equipment and storage functionality. Wrong cooling positioning,
inadequate cooling intensity, security doors and windows removal.
 Environmental equipment is routinely maintained in line with manufacturer recommended schedules; and
 Backup electricity supplies are in place to ensure systems and services are not affected in the event of a power outage.

Ref. Priority Findings Risk Arising/ Recommendation Management Response

Consequence
Lack of Backup Policy In the absence of a We recommend that the The Computer Room Policy and description
and Procedures documented backup Computer Room policy is of the data back-up and restore service are
policy and procedure, expanded to include the done into external HDD which have never
All servers and
High there is an increased backup cycle, backup transit been tested and are old inconsistent data.
applications are not
risk that backups are and storage arrangements. Last known backup of some DB data was
backed up. This was
not performed in line A disaster recovery done in Dec. 2021
also not included in
with ICT's infrastructure should be
the architecture
requirements. This implemented.
design of the
may result in the loss
infrastructure hence
of data, interruption
possess a single point
of ICT services and
of failure
operational
difficulties.
Advertently, cause a
complete disruption of
service
2 Excessive access to Unauthorised/ The access to all computer There has been no implementation of access
Computer Room inappropriate rooms should be restricted to restriction from the implementation stage of
ICT persons with a
physical access to the the server room.
On inspection of the secondment to perform their
access procedure to the computer room may responsibilities
data centre/server result in accidental
High room, we noticed that or malicious damage
there is no form of

TECHNOLOGY CARE LIMITED………A dell partner and enterprise infrastructure solutions

support/administration.
Coverage: west African countries.
 restrictions aside the to ICT equipment The access list should be
biometric door lock resulting in loss of reviewed by management on
and once this is
data and a regular basis to ensure that
opened, the data centre
is accessible to interruption of ICT the access granted is valid.
everyone at all times. services and Proof of the review should be
operational maintained.
difficulties.
Also considering the
sensitivity of data
stored in this
infrastructure and its
importance to the
nation’s civil and
political
aspiration/ambitions,
unauthorized entry
can jeopardize the
data integrity if a
malicious person
gains access.
3 Power issues in the Data Un-redundant power An independent power Environment setup was done without
centre. configuration in the supply should be technical considerations and proper spec.
implemented.
datacentre causes and monitoring hence the lapses.
We observed that all
power sources are system failures and
unclean and non- inevitably data loss. 1. Source A should be
redundant. Consistent failing power GRID supply
parts of the device through a
High occurring due to UPS/stabilizer and fed
to the line A o f the
inconsistent power server rack.
fluctuation and loss. 2. Source B should be an
independent supply
from an inverter source
capable of sustaining
the infrastructure for an
extended time till main
power is restored in the
invent of a power
failure from the main
Grid.
3. Each server having two
PSU should be
connected to source A
and B independently.

4 Age of servers and A server at EOL Servers should all be

criticality of its present (End of life and changed immediately and
condition. redesigned to avoid the
support) state is a
inevitable disaster, failure of
From an architecture security risk of the system and complete loss
point of view, the servers elevated level to of data.
High in the infrastructure are at every data it houses.
EOL and EOSL. The server is
vulnerable to attacks
and intrusion. A
malicious access to
the infrastructure
will compromise the
integrity and
accuracy.

TECHNOLOGY CARE LIMITED………A dell partner and enterprise infrastructure solutions

support/administration.
Coverage: west African countries.
5 Operating system This is severity 1 A KMS server should be
activation risk, an un-activated designed, and Microsoft
enterprise license bundle
windows OS running
All systems are not installed to activate all
activated genuine. on workstations and systems on the domain.
servers leaves the
High system vulnerable to
hackers to steal data Only licensed application
and corrupt data should be installed to avoid
creating a backdoor to
with malicious hackers from free software
intent. and un-licensed applications.

6 Operating system This is a severity A patch management system

upgrade and security level 2 risk. should be designed
patch management. immediately to manage the
A server and laptop
systems and monitor them
without the latest for updates and
High bug fix, patch and vulnerabilities.
security update is
open to hackers to
access. Examples of this are: SCCM
(system configuration centre
Considering the and management), Manage
value of data housed engine.
in this
infrastructure, it is
incredibly important
to protect the
systems.
7 Support, management Due to the nature of A contract should be signed
and monitoring of information housed with a skilled support
infrastructure and estate company or person with deep
in this
understanding in the estate
High infrastructure/data and ability to implement
centre, it is fixes when needed. This
imperative that the contract should include
system is monitored hardware replacement parts
for impending shipment and support,
monitoring and 1st, 2nd, and
failures and have a 3rd level support for the
support contract in infrastructure (servers and
place to replace, fix storage), in the event of a
and manage issues as specialist requirement, the
they arise. OEM will be contacted for
assistance.

8 External/local purchase Severity level of this We strongly advise that an

of servers without is 0, this is the account is created with
warranty and support DELL during purchase from
highest in the
from DELL. the partner to enable a
industry. Because of disaster level support and
the importance of warranty service contract.
High this data, a non-
accredited purchase
especially not in the
name of the entity
NCRA can be
compromised before
purchase.
9 Temperature of the data This is a severity 0. The windows should be
centre, windows, and removed and replaced with a
access doors. For a data centre or wall. The cartons should be
server room, the removed and cleaned to
We observed that the A/C recommended reduce dust in the
High is placed at the back of temperature range environment. ACs should be
the servers and is 18-27°C (64-80°F). placed in the cold Isle which
temperature is always This is an optimal is in front of the server and
below standard, also the temperature range not behind which is the hot
environment is dusty and that provides both a Isle to enable optimal
packed with cables, cool environment for performance of the servers
desks, boxes, and cartons. critical servers, other and its components.
specific electronic
devices (including UPS
batteries) and the

TECHNOLOGY CARE LIMITED………A dell partner and enterprise infrastructure solutions

support/administration.
Coverage: west African countries.
 engineers / technicians
who work there

10 Infrastructure redundancy. This is a severity 0. There should be a primary

and a secondary
We observed that there is In the event of a infrastructure to support the
no disaster recovery site downtime due to any availability of the service
for the current number of reasons, rendered to the nation by
infrastructure setup. The there should be a site 2 NCRA. In order to keep the
primary site is less ready (secondary) which can country running at all sectors
High and incapable of continue the processes without a service downtime
sustaining an always-on on the primary hence and on-access
(zero downtime) keeping the services synchronization with the
availability. available without a NIN generating platform for
downtime. verification and
sustainability of port and
The current border services, a second
infrastructure is a infrastructure with like
single point of failure configuration and
and a non-negotiable architecture should be made
redundancy needed. available to replicate the data
for live-access in the invent
of a failure or maintenance
activity on the primary site.

11 Skills and knowledge: This is a category 2 A level of training can be

severity since it can be conducted to upskill a front-
We observed that there outsourced for better end person to skill level 0,
are no infrastructure management and skill enabling him to take
engineers, server compatibility. As instructions and execute
specialists or support highlighted in item No. carefully upon a remote
High senior level within the 7 above. initiated support task from
current team setup skilled the support contract entity.
in the wide range of
systems within the
network to manage,
support and monitor.

12 Sustainability and This is category 1 A routine remote support

management. severity in the invent should be established for
of failed contracts or contractual management,
unavailability of also a quarterly or monthly
immediate contact for onsite visit can be suitable to
High We noted that there isn’t a disaster, a continuity further ensure that the ICT
a sustenance structure in service contract is team familiarize themselves
place, i.e., continuity of recommended to avert and become a complete team
service plan for both the possibility of the with the contracted
solution and previous happening entity/person.
infrastructure. that lasted for almost a
month before
resolution. This should cut across the
physical infrastructure, data
This contract is centre, virtual configured
advised to be focused architecture support to the
on specialty and skill application/solution used.
availability for the
application/solution in
use as well as the The above will provide
infrastructure. opportunities for
improvements and
innovation to further create a
seamless system of
registration and operation for
the office of the NCRA.

Storage Array Details recommendations:

This is recommended for virtualization nodes

TECHNOLOGY CARE LIMITED………A dell partner and enterprise infrastructure solutions

support/administration.
Coverage: west African countries.
 Present hard model
DELL Power vault MD3200
DELL Power vault MD1200
DELL Power vault MD1200
DELL Power vault MD1200
DELL Power vault MD1200
DELL Power vault MD1200
Hardware model and age Recommendation Replacement
BIOS, iDrac, HDD, controller 1 & 2 firmware & OS = 8yrs Dell EMC VxRail x1
∞ ∞
∞ ∞
∞ ∞
∞ ∞
∞ ∞

Server Details and recommendations:

This is recommended for virtualization nodes
Present hard model x 9
Dell PowerEdge R720
Dell PowerEdge R720
Dell PowerEdge R720
Dell PowerEdge R720
Dell PowerEdge R720
Dell PowerEdge R720
Dell PowerEdge R720
Dell PowerEdge R720
Dell PowerEdge R720
Hardware model and age recomme
ndation
BIOS, iDrac, HDD, controller 1 & 2 firmware & OS = 8yrs Dell PowerEdge R6525 or R740s x3
∞ ∞
∞ ∞
∞ ∞
∞ ∞
∞ ∞
∞ ∞
∞ ∞
∞ ∞

Summary:
The NCRA data centre and systems in view have been defined and confirmed to be a single point of failure with no sustenance structure for
both solution and physical infrastructure. This is excluding the dangers of a data loss and theft, the current infrastructure was confirmed
implemented after it has reached EOL and EOSL (end-of-life and end-of-support-life) however, it is imperative to note that the entire
country depends on the data housed and generated in this system, as such a threat to it is a direct threat to the country Sierra Leone.

The current running infrastructure was purchase out of range, this means that it is not recognised under any possible contract or name of
NCRA hence support in any form is impossible for the OEM, this is a RED flag and complete breech of standards in conformity with the
information and data protection laws in technology and the world.

Several solutions have been advised and will be re-iterated below:

a. A contract for support on hardware replacement, solution support and infrastructure support should be signed urgently.
b. A technology refresh should commence immediately to balance the scale and return the environment to a minimum level of
sanity.
c. Power should be addressed immediately, failure to do this can result in DATA Loss before the replacement/refresh of
infrastructure is implemented. A power supply 1 and 2 from distinct sources are compulsory to ensure longevity of systems.
d. Vulnerabilities, all systems should be designed to follow a periodically upgrade and patch cycle. This should be documented and
approved before and after implementation on a monthly or quarterly bases as agreed by the management. It is most important to
note that this should be a monthly activity as the cyber-crime world never goes to sleep, so should the gatekeeper never slumber.
e. To foster sustainability and stability in the system, a handshake between all support entities and the process document should be
created and collaboration with the current in-house team for optimal performance and reach.

TECHNOLOGY CARE LIMITED………A dell partner and enterprise infrastructure solutions

support/administration.
Coverage: west African countries.