I was been assigned to audit our data center. What are the things that I need to check and verify compliance? Do I have to work on security? With regards to networking, can i audit the design of the LAN?
Now there's a good question. If the application is part of your process and you can't verify the results later, I'd say yes... Didn't think about that.
You'll somehow have to make certain that the application interacts with the rest of the process in the intended way. It's no different from when you buy a machine and hook it up in a production line...
A company may have any/all of the following:
- Number of MS Office and CAD installations
- Some ERP software such as SAP
- Company-wide intranet / Knowledge Management System / LotusNotes
- One or just a few seats each of many smaller software pakages (eg. Calibration Management System)
It would be a daunting task validating these things! How does one go about it?
I'm skating on thin ice here. (Honestly, just trying to get a grip on this myself - please, someone grab me if I'm heading for open water).
In the examples you mentioned I'd think it's a simple (is it?) matter of installing the stuff and see if it works. Then, as long as nothing is altered I guess the validation would stay valid?
What I was thinking of was something like software for running production machinery or something similar... I suppose the only way to validate that would be to systematically put the relevant commands through it and see if you get the intended reaction in the other end.
We'll I think I may add some audit stuffs that you might want to look at:
computer hardware inventory list?
multiple network interfaces in windows or in linux (as its operating system)?
disaster recovery plan? (as in how would they recovered lost files)
Thank you for adding up, its great to have your answers to the questions...
I had some follow-up questions:
Is a machine history needed for each workstations? How about an OCAP (Out-of-Control-Activity Plan)? Can I require them with using the clause under Continuous Improvement? How about FMEA?
Awwwww... (blushing). I bet you say that to all computer freaks Thank's Raffy.
Just be sure to note that I'm thinking this through as I'm answering, thereby without a doubt missing things... I'll be using this stuff myself next time I audit our computer jockeys. A discussion here is good for the old creativity.
Machine history for each work station? I wouldn't know. That must depend on what your local procedures say.
OCAP? That could certainly fall under preventive action, and if you keep it updated, for instance by using FMEA it should prove useful for continual improvement too (You could improve what's possible to improve and stuff the impossible into the contingency plan.). As before it's down to what your procedures say, but losing your network even temporarily could be disastrous, so a contingency plan would be a good idea for anyone. I think it should fall under clause 4.2.