DENVER – Denver’s Technology Services agency isn’t keeping a complete inventory in its data centers housing critical technology infrastructure, and the city needs to improve environmental and location risks for its data centers to better protect the city’s resources, according to a new audit from Denver Auditor Timothy M. O’Brien, CPA.
Data centers house critical assets including servers, routers and other devices. Technology Services for the city and the Business Technologies Division of Denver International Airport are each responsible for a primary and secondary data center.
The secondary data center building for the city was never meant to be a data center at all. Data centers must have proper standards to prevent and detect both water leaks and changes in temperature and humidity. While there, the team found water damage, as seen in this picture; plywood in the walls, which poses a fire hazard and structural concerns; and plants engulfed outside electrical and data lines.
The city’s primary data center has good environmental safeguards in place. However, both the city’s and the airport’s primary and secondary data centers are too close together, placing them at the same risk of being affected by environmental factors, such as snowstorms.
The audit recommends the city continue moving its secondary data center facility to a better-built building and to a location farther away from the primary data center. The city agrees with this recommendation and is already looking into cost-effective options.
The audit team also found the city is not keeping track of all the equipment in the data centers, such as some servers and mainframes. Auditors requested a complete inventory, and after several attempts, they received only an incomplete list. Without a complete and up-to-date inventory, the process of maintaining and operating a data center is much more difficult. This means Technology Services might not know what devices are on its network, and there could be a risk the devices are not updated, leaving the network vulnerable.
“Secure network infrastructure is critical to the operation of our city’s government,” Auditor O’Brien said. “Protecting our network should be a top priority.”
Auditor O’Brien also recommends that Technology Services and Business Technologies should keep better track of how much the city and airport are spending to protect and maintain the city’s data and technology. The audit team found neither Technology Services nor the airport’s Business Technologies Division track the full cost of operating their data centers. Without the ability to understand and quantify the cost, it is impossible for the city and the airport to make good management decisions. The city could be spending more than it realizes, and it might not be making sound business decisions based on cost-benefit analyses.
Technology Services and the airport’s Business Technologies Division also need to do a better job of working together to share useful tools and information, as well as applying consistent operating standards at all locations.
“Many of the city’s and airport’s efforts to protect and maintain our data centers are working well,” Auditor O’Brien said. “And we could be even more efficient if the two entities worked more closely together to share tips, tools and expertise.”
By addressing data center locations and weak environmental controls, by improving ongoing software application reviews, and by implementing cost accounting practices, Technology Services and Business Technologies can improve their data center operations.
The audit team also identified several security-related findings, and our conclusions were communicated separately to management of Technology Services and Business Technologies for their remediation.