2. Introduction:
Pakistan Refinery was incorporated in Pakistan as a public limited
company in May 1960 and is quoted on Karachi and Lahore stock
exchanges.
Its registered office is located at Korangi Creek Road, Karachi.
The company is engaged in the production and sales of Petroleum
products.
The design capacity of the Refinery was 1 million tons of crude oil per
annum, but was increased to 2.1 million tons per annum later.
The refinery is a hydro-skimming refinery, and produces high speed
diesel, furnace oil, motor spirit, Naphtha, kerosene, jet fuels and
liquified petroleum gas.
3. Continue……
Its major customers are shell,
P.I.A, and chevron.
Board of Directors:
Chairman: Farooq
Rahmatullah Khan
Managing Director & CEO:
Aftab Husain
Company Information:
Chief Financial Officer: Imran
Ahmad Mirza
Acting Company Secretary:
Shehrzad Aminullah
Auditors: A. F. Ferguson & Co.
Chartered Accountants
Audit Committee Members:
Babar H. Chaudhary
Faisal Waheed
Muhammad Najam Shamsuddin
Saleem Butt
4. Audit planning table:
Ranking Audit Area Time Frame Last Checked Responsibility
1 Hacking and violation
of data
1 week 2016 IT consultant
2 Physical access 2 weeks 2014 Security department
3 Data Centre operations 8 days 2015 Data Centre Manager
4 System resiliency 4 days 2015 Data Centre Manager
5 Power and electricity 7 days 2015 On field manager
6 Fire 5 days 2012 Security department
7 Environmental
controls
9 days 2013 On field manager
5. Risk Assessment and Audit Engagement
Risk Analysis:
Inherent Risk: It is defined as that risk which is the nature
of the business.
Types of inherent risks:
1. Natural risk
2. Manmade risk
3. Power failure
6. Continue……
Control Risk: It is the risk that occurs due to absent or
weak internal controls to the data center.
1. Weak security controls
Detection Risk: It’s the risk which the auditor can’t
predict.
1. Violation of data within confidential zone
7. Objectives:
To make it sure that there is data backup available in case any
destruction happens to their data center.
To check that are they using proper security measures for the physical
security access and is there proper segregation of duty for data center.
To check that there is proper power and electricity backup available
and are they working properly.
Examining proper fire extinguishers system availability and its
effectiveness.
Examining proper cooling system of data center computers.
8. Scope:
TIME FRAME:
From 14 February to 19 April.
Divide our task properly to meet the goal of auditing data center.
PLACE OF EXECUTION:
Data center
Security measures of the data center
The proper cooling system of data center room
Proper segregation of duty
Proper fire control measures
9. Constraint:
WORKING HOUR CONTRAINT:
The working hour constraint was from 9am to 5pm, so after that the
office in korangi was closed and we can’t get information after it.
EMPLOYEE RELUCTANCE:
Fear of losing their job is also a constraint & because of that they
didn’t share the information.
10. Continue…..
PRESENCE OF AN EMPLOYEE WHEN WE AUDIT
DATA CENTER:
While accessing the data center & check the measures to protect data
center security that ranges from fire, power and electricity, physical
access and cooling system an employee was always present with us
that never leave us alone to audit the data center independently.
CONFEDENTIAL CONSTRAINT:
Employees will keep their confidentiality when asked about data
center.
11. Compliance and Criteria:
The criteria of our audit plan will be on the following points:
Audit according to ISO rules
Inform P.R.L. about the objectives
Security of the organization data center
Free from any personal liking and disliking
Confirm data center is properly secured
Proper data backup system present
Proper training of guards
Proper cooling system
12. Approach:
Q: What our project Approach covers?
Physical access control
Data Center operations
Power and electricity
Fire suppression
Environmental controls
System resiliency
Hacking and violation of data
13. Checklist:
What does checklist covers?
Fire control
Physical access
Capability of data Center personnel
Authenticity of personnel working for data center security
Testing of environmental control
Testing of power and electricity
Data backup availability
System resiliency
Hacking and violation of data