METROPOLITAN DAYTON EDUCATIONAL COOPERATIVE ASSOCIATION (MDECA) MONTGOMERY COUNTY SERVICE ORGANIZATION CONTROLS REPORT (SOC 1)
|
|
- Job Nicholson
- 8 years ago
- Views:
Transcription
1 (MDECA) MONTGOMERY COUNTY SERVICE ORGANIZATION CONTROLS REPORT (SOC 1) APRIL 1, 2014 THROUGH MARCH 31, 2015
2
3 TABLE OF CONTENTS METROPOLITAN DAYTON EDUCATIONAL COOPERATIVE ASSOCIATION TABLE OF CONTENTS 1 INDEPENDENT SERVICE AUDITOR S REPORT SERVICE ORGANIZATION S ASSERTION DESCRIPTION OF THE SERVICE ORGANIZATION S SYSTEM... 7 CONTROL OBJECTIVES AND RELATED CONTROLS... 7 OVERVIEW OF OPERATIONS... 7 RELEVANT ASPECTS OF THE CONTROL ENVIRONMENT, RISK ASSESSMENT AND MONITORING... 8 Control Environment... 8 Risk Assessment Monitoring INFORMATION AND COMMUNICATION GENERAL COMPUTER CONTROLS Development and Implementation of New Applications and Systems Changes to Existing Applications or Systems IT Security IT Operations COMPLEMENTARY USER ENTITY CONTROLS INDEPENDENT SERVICE AUDITOR S DESCRIPTION OF TESTS OF CONTROLS AND RESULTS GENERAL COMPUTER CONTROLS Changes to Existing Applications and Systems IT Security IT Operations OTHER INFORMATION PROVIDED BY THE SERVICE ORGANIZATION (Unaudited) Information Technology Center Profile... 32
4 This Page Intentionally Left Blank
5 Independent Service Auditor s Report on a Description of a Service Organization s System and the Suitability of the Design and Operating Effectiveness of Controls Board of Directors Metropolitan Dayton Educational Cooperative Association (MDECA) 225 Linwood Street Dayton, OH To Members of the Board: Scope We have examined MDECA s accompanying Description of its Alpha /466 system used for processing transactions for users of the Uniform School Accounting System (USAS), Uniform Staff Payroll System (USPS), and School Asset Accounting System/Equipment Inventory Subsystem (SAAS/EIS) throughout the period April 1, 2014 to March 31, 2015 and the suitability of the design and operating effectiveness of controls to achieve the related control objectives stated in the Description. The Description indicates that certain control objectives specified in the Description can be achieved only if complementary user entity controls contemplated in the design of MDECA s controls are suitably designed and operating effectively, along with related controls at the service organization. We have not evaluated the suitability of the design or operating effectiveness of such complementary user entity controls. The MDECA uses the State Software Development Team (SSDT) located at the Northwest Ohio Computer Association (NWOCA) service organization for systems development and maintenance of the USAS, USPS, and SAAS/EIS application systems. The Description in section 3 includes only the controls and related control objectives of the MDECA and excludes the control objectives and related controls of the NWOCA. Our examination did not extend to controls of the NWOCA. Service organization s responsibilities In section 2, MDECA has provided an Assertion about the fairness of the presentation of the Description and suitability of the design and operating effectiveness of the controls to achieve the related control objectives stated in the Description. MDECA is responsible for preparing the Description and for the Assertion, including the completeness, accuracy, and method of presentation of the Description and the Assertion, providing the services covered by the Description, specifying the control objectives and stating them in the Description, identifying the risks that threaten the achievement of the control objectives, selecting the criteria, and designing, implementing, and documenting controls to achieve the related control objectives stated in the Description. Service auditor s responsibilities Our responsibility is to express an opinion on the fairness of the presentation of the Description and on the suitability of the design and operating effectiveness of the controls to achieve the related control objectives stated in the Description, based on our examination. We conducted our examination in accordance with attestation standards established by the American Institute of Certified Public Accountants. Those standards require that we plan and perform our examination to obtain reasonable assurance about whether, in all material respects, the Description is fairly presented and the controls were suitably designed and operating effectively to achieve the related control objectives stated in the Description throughout the period April 1, 2014 to March 31, East Broad Street, Tenth Floor, Columbus, Ohio Phone: or Fax:
6 Metropolitan Dayton Educational Cooperative Association (MDECA) Montgomery County Independent Service Auditor s Report Page 2 An examination of a Description of a service organization s system and the suitability of the design and operating effectiveness of the service organization s controls to achieve the related control objectives stated in the Description involves performing procedures to obtain evidence about the fairness of the presentation of the Description and the suitability of the design and operating effectiveness of those controls to achieve the related control objectives stated in the Description. Our procedures included assessing the risks that the Description is not fairly presented and that the controls were not suitably designed or operating effectively to achieve the related control objectives stated in the Description. Our procedures also included testing the operating effectiveness of those controls that we consider necessary to provide reasonable assurance that the related control objectives stated in the Description were achieved. An examination engagement of this type also includes evaluating the overall presentation of the Description and the suitability of the control objectives stated therein, and the suitability of the criteria specified by the service organization and described in section 3. We believe that the evidence we obtained is sufficient and appropriate to provide a reasonable basis for our opinion. The information in section 5 describing the information technology center is presented by the management of MDECA to provide additional information and is not part of the MDECA s Description of controls that may be relevant to a user entity s internal control. Such information has not been subjected to the procedures applied in the examination of the Description of the controls applicable to the processing of transactions for user entities and, accordingly, we express no opinion on it. Inherent limitations Because of their nature, controls at a service organization may not prevent, or detect and correct, all errors or omissions in processing or reporting transactions. Also, the projection to the future of any evaluation of the fairness of the presentation of the Description, or conclusions about the suitability of the design or operating effectiveness of the controls to achieve the related control objectives is subject to the risk that controls at a service organization may become inadequate or fail. Opinion In our opinion, in all material respects, based on the criteria described in MDECA s Assertion in section 2, a. the Description fairly presents the system that was designed and implemented throughout the period April 1, 2014 to March 31, b. the controls related to the control objectives stated in the Description were suitably designed to provide reasonable assurance that the control objectives would be achieved if the controls operated effectively throughout the period April 1, 2014 to March 31, 2015 and user entities applied the complementary user entity controls contemplated in the design of the MDECA s controls throughout the period April 1, 2014 to March 31, c. the controls tested, which together with the complementary user entity controls referred to in the scope paragraph of this report, if operating effectively, were those necessary to provide reasonable assurance that the control objectives stated in the Description were achieved, operated effectively throughout the period April 1, 2014 to March 31, Description of tests of controls The specific controls tested and the nature, timing, and results of those tests are listed in section 4.
7 Metropolitan Dayton Educational Cooperative Association (MDECA) Montgomery County Independent Service Auditor s Report Page 3 Restricted use This report, including the Description of tests of controls and results thereof in section 4, is intended solely for the information and use of MDECA, user entities of MDECA s system during some or all of the period April 1, 2014 to March 31, 2015, and the independent auditors of such user entities, who have a sufficient understanding to consider it, along with other information including information about controls implemented by user entities themselves, when assessing the risks of material misstatements of user entities financial statements. This report is not intended to be and should not be used by anyone other than these specified parties. Dave Yost Auditor of State Columbus, Ohio May 28, 2015
8 This Page Intentionally Left Blank
9 Management Assertion Letter We have prepared the description of the MDECA Alpha /466 system for user entities of the system during some or all of the period April 1, 2014 to March 31, 2015, and their user auditors who have a sufficient understanding to consider it, along with other information, including information about controls implemented by user entities of the system themselves, when assessing the risks of material misstatements of user entities financial statements. We confirm, to the best of our knowledge and belief, that a) the Description fairly presents the Alpha /466 system made available to user entities of the System during some or all of the period April 1, 2014 to March 31, 2015 for processing their transactions. The MDECA service organization uses the State Software Development Team (SSDT) located at the Northwest Ohio Computer Association (NWOCA) service organization for systems development and maintenance of the USAS, USPS, and SAAS/EIS application systems. The Description includes only the controls and related control objectives of the MDECA service organization and excludes the control objectives and related controls of the NWOCA service organization. The criteria we used in making this assertion were that the Description i) presents how the System made available to user entities was designed and implemented to process relevant transactions, including 1) the classes of transactions processed. 2) the procedures, within both automated and manual systems, by which those transactions are initiated, authorized, recorded, processed, corrected as necessary, and transferred to the reports presented to user entities of the System. 3) the related accounting records, supporting information, and specific accounts that are used to initiate, authorize, record, process, and report transactions; this includes the correction of incorrect information and how information is transferred to the reports presented to user entities of the System. 4) how the System captures and addresses significant events and conditions, other than transactions. 5) the process used to prepare reports or other information provided to user entities of the System. 6) specified control objectives and controls designed to achieve those objectives. 7) other aspects of our control environment, risk assessment process, information and communication systems (including the related business processes), control activities, and monitoring controls that are relevant to processing and reporting transactions of user entities of the System. ii) does not omit or distort information relevant to the scope of the System, while acknowledging that the Description is prepared to meet the common needs of a broad range of user entities of the System and the independent auditors of those user entities, and may not, therefore, include every aspect of the System that each individual user entity of the System and its auditor may consider important in its own particular environment. METROPOLITAN DAYTON EDUCATIONAL COOPERATIVE ASSOCIATION 225 LINWOOD STREET, DAYTON, OH TEL (937) FAX (937)
10 b) the Description includes relevant details of changes to the service organization s System during the period from April 1, 2014 to March 31, c) the controls related to the control objectives stated in the Description were suitably designed and operated effectively throughout the period April 1, 2014 to March 31, 2015 to achieve those control objectives and subservice organizations applied the controls contemplated in the design of MDECA service organization s controls. The criteria we used in making this assertion were that i) the risks that threaten the achievement of the control objectives stated in the Description have been identified by the service organization; ii) the controls identified in the Description would, if operating as described, provide reasonable assurance that those risks would not prevent the control objectives stated in the Description from being achieved; and iii) the controls were consistently applied as designed, including whether manual controls were applied by individuals who have the appropriate competence and authority. Dean A. Reineke, Executive Director METROPOLITAN DAYTON EDUCATIONAL COOPERATIVE ASSOCIATION 225 LINWOOD STREET, DAYTON, OH TEL (937) FAX (937)
11 SECTION 3 DESCRIPTION OF THE SERVICE ORGANIZATION S SYSTEM CONTROL OBJECTIVES AND RELATED CONTROLS METROPOLITAN DAYTON EDUCATIONAL COOPERATIVE ASSOCIATION DESCRIPTION OF THE SERVICE ORGANIZATION S SYSTEM The MDECA s control objectives and related controls are included in Section 4 of this report, Independent Service Auditor s Description of Test of Controls and Results, to eliminate the redundancy that would result from listing them here in Section 3 and repeating them in Section 4. Although the control objectives and related controls are included in Section 4, they are, nevertheless, an integral part of the MDECA s description of controls. OVERVIEW OF OPERATIONS The MDECA is one of 21 governmental computer service organizations serving more than 973 educational entities and million students in the state of Ohio. These service organizations, known as Information Technology Centers (ITCs), and their users make up the Ohio Education Computer Network (OECN) authorized pursuant to Section of the Revised Code. Such sites, in conjunction with the Ohio Department of Education (ODE), comprise a statewide delivery system to provide comprehensive, cost-efficient accounting and other administrative and 7
12 DESCRIPTION OF THE SERVICE ORGANIZATION S SYSTEM instructional computer services for participating Ohio entities. Funding for this network and for the MDECA is derived from the state of Ohio and from user fees. ITCs provide information technology services to school districts, community charter schools, JVS/career & technical, educational service centers (ESCs) and parochial schools; however, not all entities subscribe to the same services. Throughout the remainder of the report, the term user entity will be used to describe an entity which uses one or more of the following applications: Uniform School Accounting System (USAS). Uniform Staff Payroll System (USPS). School Asset Accounting System/Equipment Inventory Subsystem (SAAS/EIS). ITCs are organized as either consortia under ORC or Council of Governments (COG) under ORC 167. ORC allows for school districts to create a partnership (a consortia) to resolve mutual needs. One of the members of the consortia is designated as fiscal agent. The fiscal agent provides all accounting, purchasing, and personnel services for the consortia. A COG under ORC chapter 167 allows for one or more governmental entities to join together to form a new legal entity. A COG can have its own treasurer, make its own purchases, hire staff, and have debt obligations. The MDECA is organized under section and is thus required to have a board of education to serve as fiscal agent to receive OECN funds from the ODE. For this reason, the Montgomery County Educational Service Center (ESC) serves as fiscal agent for the MDECA and performs certain functions that might otherwise be performed by the board of directors. RELEVANT ASPECTS OF THE CONTROL ENVIRONMENT, RISK ASSESSMENT AND MONITORING Control Environment Operations are under the control of the executive director and the operating committee. Its members are appointed by the MDECA board of directors. The operating committee meets monthly, with the exceptions of May and July, and is responsible for assisting the executive director in day-to-day operations and planning the short and long-range goals of the organization. The board of directors is the governing body of the MDECA and is composed of seven superintendents from the user entities within the four counties. The board is required to meet at least quarterly, with additional meetings as necessary. The board has also established several advisory committees to assist in the operation of the MDECA. The MDECA employs a staff of 21 individuals and is supported by the following functional areas: Software Support: Provides end user support and training for MDECA user entities for the state software applications, including USAS, USPS, and SAAS/EIS. Computer Operations: Provides a variety of educational technology services to subscribing MDECA user entities including software and Internet access, training, technology planning, and technical assistance. Network Support: Supports the MDECA computer systems and its networked communication system. Provides user training and support. Staff members report directly to the managers of each of the functional areas, who in turn report to the executive director. 8
13 DESCRIPTION OF THE SERVICE ORGANIZATION S SYSTEM The MDECA is generally limited to recording user entity transactions and processing the related data. User entity personnel are responsible for authorization and initiation of all transactions. Management reinforces this segregation of duties as a part of its new employees orientation process, through on the job training, and by restricting employee access to user data. Changes to user entity data are infrequent; however, when they do occur the MDECA must receive either an or phone call from the user entity requesting the change. MDECA retains a log and allows only authorized MDECA employees to make the changes to user data. Only experienced MDECA staff may alter user data and only at the request of the user entity. The MDECA follows the same personnel policies and procedures as their fiscal agent, the Montgomery County ESC. When necessary, additional MDECA policies have been developed and approved by the board of directors to address concerns of the MDECA. Detailed job descriptions exist for all positions. The MDECA is constantly re-evaluating its need for personnel to provide for the increasing range of services provided and to foster efficiency within its organization. The reporting structure and job descriptions are periodically updated to create a more effective organization. Employee evaluations are conducted on an annual basis. The board performs an annual evaluation of the executive director. The MDECA hiring practices place an emphasis on the hiring and development of skilled information technology professionals. Most positions within the organization require some type of college degree in a computer-related field, and all the MDECA staff members are required to attend professional development and other training as a condition of continued employment. Each staff member must attend at least twenty hours of approved professional development training annually and part-time staff member training requirements are prorated. In addition, management encourages staff members to obtain additional training by paying 100% of incurred costs in attending additional professional development seminars. The MDECA is also subject to ITC Site Reviews by the Technology Solutions Group of the Management Council Ohio Education Computer Network MCOECN (mc tsg). These site reviews are conducted by a team consisting of an employee of the Ohio Department of Education (ODE), two current and/or former school district administrators, two current and/or former ITC Directors, and one additional team member to provide training to subsequent teams. Approximately three to five ITC site reviews are conducted annually. The sites chosen for review are designated by the OECN Oversight Advisory Committee as approved by ODE. The guidelines and recommended procedures for these reviews are based on the Ohio Administrative Code, which cover the following areas: governance, administration, finance, personnel and staff development, physical facilities, hardware, software, user in-service, and operations. MDECA s ITC site review was completed April, The MDECA has signed Service Level Agreements (SLA) with their user entities for certain computer, data processing, and application services. The SLA conveys to its user entities the services provided by the MDECA. The user entities agree to pay a fee based upon a fee schedule set forth by the governing board and they agree to abide by the security policies implemented by the MDECA. These SLAs are in effect beginning July 1, 2009, and will be in effect until terminated in writing by either the user entity or the MDECA. 9
14 DESCRIPTION OF THE SERVICE ORGANIZATION S SYSTEM Risk Assessment Although the MDECA does not have a formal risk management process, the board of directors comprises representatives from the user entities who actively participate in the oversight of the MDECA. As a regular part of its activity, the board addresses: New technology. Realignment of the MDECA organization to provide better service. Personnel issues, including hiring, termination, and evaluations. Additional services provided to user entities and other entities. Changes in the operating environment as a result of ODE requirements, Auditor of State (AOS) and other accounting pronouncements, and legislative issues. In addition, the MDECA has identified operational risks resulting from the nature of the services provided to the user entities. These risks are primarily associated with computerized information systems. These risks are monitored as described under Monitoring below and in additional detail throughout the General Computer Controls section of this report. Monitoring The MDECA organization is structured so that managers of each department report directly to the executive director. Key management employees have worked for MDECA for several years and are experienced with the systems and controls at the MDECA. The MDECA executive director and supervisory personnel monitor the quality of internal control performance as a routine part of their activities. Hardware, software, network performance, database integrity, Internet usage, computer security and user help desk reports are monitored on an ongoing basis by departmental management. Some of these reports are automatically run through a scheduler program and sent to management via . Exceptions to normal processing related to hardware, software or procedural problems are logged and resolved daily. In addition, the executive director and the manager of systems and operations receive the same reports and monitor them for interrelated and recurring problems. INFORMATION AND COMMUNICATION The aspects of the information and communication component of internal control as they affect the services provided to user entities are discussed within the General Computer Controls sections. 10
15 DESCRIPTION OF THE SERVICE ORGANIZATION S SYSTEM GENERAL COMPUTER CONTROLS Development and Implementation of New Applications and Systems The MDECA staff does not perform system development activities. Instead, the MDECA utilizes the software developed and supplied by the State Software Development Team (SSDT), located at the Northwest Ohio Computer Association (NWOCA), another ITC of the OECN. The Ohio Department of Education (ODE) determines the scope of software development for state-supported applications. Tactical means of accomplishing software development priorities are determined by the Software Advisory Committee (SAC), which consists of members from the Management Council of the OECN (MCOECN), the Ohio Association of School Business Officials, the ODE and the SSDT. The SAC meets as needed to monitor SSDT projects and provide feedback on project priorities. Changes to Existing Applications and/or Systems End users have access to the SSDT website that contains user and technical documentation for the applications. Specific support issues or questions can be communicated to the SSDT via helpdesk software. Solutions are communicated directly to MDECA staff. Global issues are posted to the SSDT support website. The MDECA personnel do not perform program maintenance activities. Instead, they utilize the applications supplied to them by the SSDT. The OECN requires the ITC to keep the version of each application current based on the provider s standard for continued support. Procedures are in place to ensure the SSDT developed applications are used as distributed. Upon notification of their availability from SSDT, ITCs obtain quarterly updates by downloading zipped files from the SSDT s download site. The source code is not distributed with these files. Release notes, which explain the changes, enhancements and problems corrected, are provided via the SSDT website. User and system manager manuals are also made available via the SSDT website with these releases. The SSDT informs the ITCs that they will support only the latest release of the state software beginning 30 days following the software release date. The MDECA uses a software utility called OECN_INSTALL to unpack these zipped files and install each individual package into its proper OECN directory. The OECN_INSTALL utility has an INSTALL_PACKAGE procedure with several functions that installs full package releases, partial releases or patches on the system. This utility ensures that all required components are installed properly and consistently. Only vendor-supplied changes are made to the operating system or system software documentation. As a participating member of the MCOECN, an ITC can enter into a cooperative agreement, Campuswide Software License Grant (CSLG) and Education Software Library (ESL) Program, through the MCOECN, for acquiring and/or providing software maintenance services for a limited series of Hewlett Packard (HP), and other supplier s, software packages as approved by the MCOECN board of trustees. The services acquired and/or provided by the MCOECN under the agreement include the following: Provide for the acquisition and distribution of software media to the participating ITCs for a limited series of HP software packages as approved by the board of trustees of the MCOECN. Provide telephone technical support to the participant s technical staff for a limited series of HP software packages approved by the board of trustees of the MCOECN. 11
16 DESCRIPTION OF THE SERVICE ORGANIZATION S SYSTEM Track and maintain an accurate listing of all HP hardware and software covered under the agreement. Provide and maintain support on one (1) license of Process Software s Multinet TCP/IP stack for each system registered under this program. As a participating member of the program of the MCOECN the participating ITCs agree to the following: Maintain its status as a member in good standing of the MCOECN as a qualification for participating in (or continuing to participate in) this program. Read, sign, and comply with the rules and regulations of the CSLG Program as operated by the MCOECN. Provide unrestricted privileged access to all computer systems covered under the agreement for the purposes of identifying and/or correcting problems, distributing software, or assuring licensing compliance. Provide HP or MCOECN representatives, upon prior written notice, with physical access to computer facilities at reasonable times during normal business hours to inspect sites and system records for compliance with the terms of the CSLG and ESL Programs. Make payments to MCOECN for services under the agreement within 30 days of the receipt of an invoice for said services. Before new releases are installed at the MDECA, a backup of the application or operating system affected by the change is prepared to ensure retention of the existing application or operating system in case of an error stemming from the upgrade process. Documentation for the current version of the operating system and new releases are provided on the HP web site. New releases include documented changes to the operating system and implementation procedures. In addition, the MDECA has purchased a copy of the operating system disks from INS, a third-party vendor in partnership with the MCOECN. This is part of the Technology Solutions Group program under the MCOECN (mc tsg). This program allows the MDECA to purchase the operating system software media at a reduced cost. Current release documentation is maintained by the manager of systems and operations at the MDECA. IT Security The MDECA has several security policy and procedures documents, describing the responsibilities of user entity and MDECA staff, which are distributed to all employees and its user entities. These responsibilities include computer usage, data access, remote access and password usage guidelines. Policies are provided to MDECA staff upon hiring. Policies are provided to user entities; however, it is their responsibility to ensure users acknowledge and sign the policy, indicating their understanding and agreement to the policies. The MDECA enters into a network and Internet management contract and acceptable use policy with each of its user entities, which outlines the rights and responsibilities of MDECA and the user entities. The user entity may also have its own acceptable use policies for its users. Each subsequent year, the MDECA uses the Service Level Agreement (SLA) as the user entity s acceptance to abide by MDECA s policies. The MDECA also uses a banner screen that is displayed upon logging into the system. The screen informs the user that unauthorized system access is prohibited and users of the system expressly consent to the security policies of the MDECA. Access to the Internet has been provided to the user entities through the OECN etech network. No centralized Internet usage policy is used at the MDECA. Each user entity is responsible for its 12
17 DESCRIPTION OF THE SERVICE ORGANIZATION S SYSTEM own Internet usage policies. All documentation is maintained at the user entities. The MDECA staff is granted access within the scope of their assigned duties, but only as may be necessary to maintain the data structure, research and correct problems, and provide backup capabilities. Access is established, granted and reviewed by the executive director and documented in an authorization form. User entity staff are granted access after their superintendent and/or treasurer submits a completed access request form. These requests are sent to the MDECA staff. Upon receipt of the request, the executive director s staff appointee creates or updates the user account. An is sent to the superintendent or the treasurer and the user notifying them of the account login credentials. A user listing, including user access rights, is created weekly and made available for review on FISCWEB, a web-site accessible to the user entity treasurer or others with authorized access. For requested changes from the FISCWEB review, the MDECA staff makes the necessary change to user access rights. Security alarm messages are sent to an operator terminal that has been enabled to receive security event messages. Security audit messages are sent to the console log file and alarms to the operator log file. Access to the console log and the operator log is limited to data processing personnel. The following detection control audits and/or alarms have been enabled through the operating system to monitor any security violations: ACL: AUTHORIZATION: Gives file owners the option to selectively alarm certain files and events. Read, Write, Execute, Delete, or Control modes can be audited. Enables monitoring of changes made to the system user authorization file or network proxy authorization file in addition to changes to the rights database. AUDIT: Enabled by default to produce a record of when other security alarms were enabled or disabled. BREAK-IN: LOGIN: LOGFAILURE: FILE ACCESS: Produces a record of break-in attempts. The DIALUP, LOCAL, REMOTE, NETWORK, DETACHED, and SERVER break-in types can be monitored. Produces a record of login attempts. The DIALUP, LOCAL, REMOTE, NETWORK, DETACHED, and SERVER break-in types can be monitored. Provides a record of logon failures. The BATCH, DIALUP, LOCAL, REMOTE, NETWORK, SUBPROCESS, DETACHED, and SERVER logon failure types can be monitored. Provides a record of file access attempts. A batch processed command procedure executes each night to extract any security violations from the system audit journal and creates summary and detail reports. Log events deemed suspicious are further investigated by the manager of systems and operations to determine the exact nature of the event and the necessary corrective action. Each year, MDECA performs a positive confirmation of accounts in which each user entity signs off on the District Usernames and Identifiers report. This sign-off form indicates the treasurer has reviewed the report and approved of the accounts and privileges assigned to the individual 13
18 DESCRIPTION OF THE SERVICE ORGANIZATION S SYSTEM user accounts. The MDECA follows up with those user entities that do not reply with the confirmation request. The MDECA completed confirmation of all its user entities in June, 2014 The MDECA utilizes MailMarshal Anti-Virus software on the MailMarshal servers to scan all inbound and outbound . is then passed to the Alpha server which then passes it to the user s mailbox. If a virus is found, the is quarantined and the MDECA support staff and recipient are sent s informing them of the infected . Virus definitions are updated daily as part of the startup process. All traffic through the filtered and unfiltered proxy servers is logged on a regular basis. The logs are maintained on the system and may be provided to user entity officials upon request. Because of their volume and size, the logs are not reviewed on a regular basis. Instead, they are used for tracking Internet activity in the event a problem arises. The logs track the internal 10-dot address originating the web access, the date and the accessed web address. In addition, the firewalls and routing devices deny access to the inbound traffic unless the IP address originated from inside the network. Instead, the requests are routed to a proxy server located in each network segment that serves to filter all Internet access. The Internet filter service retrieves requests from the Internet for the typical user. Permission to bypass the proxy server requires management authorization. The firewall and routers also prevent all outside connections from accessing inside hosts or servers, unless the IP address originated from inside the network. All denied inbound and outbound Internet access is logged and ed to a programmer/analyst, who reviews the reports for potential security violations and other unauthorized or inappropriate activity on a daily basis. The outbound denials report lists failed attempts to bypass the MDECA firewall. The inbound denials report lists all failed attempts to access the MDECA network via the Internet. The firewall has been configured for remote operation. Alteration of the configuration files requires that an individual know the proper IP address and a series of passwords before remote access is possible. Only a few MDECA staff has been provided the passwords for the firewall. Alteration of the configuration files of the equipment is performed by the network/internet specialist. Additionally, a daily report is sent from the PaloAlto firewall to the MDECA staff that includes all possible threats to the network. Primary logical access control to the HP computers is provided by security provisions of the operating system. This includes access to data, programs and system utilities. When a user logs in to use the operating system interactively, or when a batch or network job starts, the operating system creates a process which includes the identity of the user. The operating system manages access to the process information using its authorization data and internal security mechanisms. A proxy login enables a user logged in at a remote node to be logged in automatically to a specific account at the local node, without having to supply any access control information. A proxy login differs from an interactive login because an interactive login requires a user to supply a user name and password before the user can perform any interactive operations. Proxy records are located in the proxy file. The MDECA does not utilize proxy logins. The user identification codes (UIC) are individually assigned to all data processing personnel employed at the MDECA. For user entities which use the MDECA system, UIC groups are assigned by user entity and UIC member numbers are unique to each user. UICs are assigned at the user entities request. UIC-based protection controls access to objects such as files, directories, and volumes. Associated with each object recognized by the operating system may be an Access Control List (ACL) that specifies the access rights of specific users and actions to be taken when unauthorized access attempts are made to those resources. The use of ACLs is an optional security measure 14
19 DESCRIPTION OF THE SERVICE ORGANIZATION S SYSTEM that provides a larger number of potential user groupings than UIC groups. An ACL allows a user to share files across UIC user groups. When a request is made to access a resource, ACLs are always checked first. An ACL may either grant access to the user requesting it or deny access. When an ACL fails to specifically grant access, or if the object does not have an ACL, the UIC is checked. In UIC protection, the relationship between the user s UIC and the object s UIC determines whether access is granted. When the ACL denies access, access may still be granted through the UIC if the user is assigned to the SYSTEM or OWNER category. Certain limited access accounts require a less restrictive environment than captive accounts. Accounts, under which network objects run, for example, require temporary access to DCL. This restricts command line access. All accounts, except MDECA staff accounts, are set up with the RESTRICED flag. The RESTRICTED flag restricts a user to a login command procedure, but allows the execution of sub-processes (e.g., other programs which may be started from within the login command procedure) within the DCL environment. Each user is subject to a minimum password length established by management. The system forces users to periodically change their passwords. The MDECA sets passwords to expire when a new user identification code is issued or when a user has forgotten his password. This parameter requires the user to change his password during the next logon procedure. The operating system has system parameters. When set appropriately, these parameters control and monitor logon attempts, and include the following: The terminal name is part of the association string for the terminal mode of break-in detection. The user is restricted on the length of time they have to correctly enter a password on a terminal on which the system password is in effect. The number of times a user can try to log in over a phone line or network connection. Once the specified number of attempts has been made without success, the connection is terminated. The length of time allowed between login retry attempts after each login failure. The length of time a user terminal, or node, is permitted to attempt a logon before the system assumes that a break-in attempt is occurring and evasive action is taken. The period for which evasive action is taken is variable and will grow as further logon failures are detected from the suspect source. The number of retry attempts allowed for users attempting to logon before evasive action consists of refusing to allow any logons during a designated period of time. System parameter standards have been established through the use of HP established defaults. Any changes are logged and reviewed by the executive director and manager of systems and operations. A timeout program, HITMAN, is used to monitor terminal inactivity and log-off inactive users after a predetermined period of time of non-use. The use of this program helps to reduce the risk of an unattended terminal being used to enter unauthorized transactions. Also, timeout programs aid in efficient use of system resources by maintaining connectivity with only active system users. 15
20 DESCRIPTION OF THE SERVICE ORGANIZATION S SYSTEM Users must provide a valid username and password to authenticate to the USAS and USPS web applications. The SSDT developed a program called OECN_RPC (Remote Procedure Call) service which, in conjunction with Universal Service Provider (USP) created by Hewlett Packard, allows users to authenticate through a XML interface using standard authentication policies. If authentication is successful, the RPC service impersonates the user by acquiring a security profile of the authenticated user (i.e. default privileges and security identifiers). Once the RPC has acquired the corresponding security profile, the operating system process has the same security rights as the authenticated user. The network client then provides a code indicating the user entity data to be used. The RPC service uses the user entity code to define logical definitions to associate the server process with the desired user entity data. Only default privileges from the user s profile record are enabled during a session. The session does not enable any authorized privileges. Therefore, when the service process accesses data files, their default login security profile is used. A user can select predefined OECN software functions that are available to the OECN RPC service. (For example, USAS functions for posting a requisition). When the user has finished using the respective web application, the logout button is clicked to disconnect. Alternatively, the session may disconnect automatically after the configured inactivity timeout. The MDECA runs Uniform School Accounting System Data Warehouse (USASDW) on a SQL server, running on Microsoft SQL software. This application is utilized by the user entities for read only access of processed purchase orders, invoices, checks, vendor tracking and receipts. All user accounts belonging to user entities are assigned the same user ID as their system account. Access, for database management purposes, is limited to one MDECA employee. The system directory contains security files that control the security parameters for the system. When a user attempts to gain access to an object, such as a file or directory, the system compares the users UIC to the owner s UIC for that object. In UIC-based protection, the relationship between the user s UIC and the object s UIC determines whether access is granted. Owner relationships are divided into four categories: SYSTEM: Any of the following: (1) Users with a UIC group number between 1 and the MAXSYSGROUP (default decimal 8, octal 10). (2) Users with system privileges. (3) Users with group privileges whose UIC group number matches the UIC group number on the object. (4) Users whose UIC matches the owner UIC of the volume on which the file is located. OWNER: Users with the same UIC as the object s owner. GROUP: Users with the same UIC group number as the object's owner. WORLD: All users, including those in SYSTEM, OWNER, and GROUP. Through the protection code, each category of users can be allowed or denied read, write, execute, and delete access. The default file protection is for (1) SYSTEM having read, write, execute, and delete capabilities; (2) OWNER having read, write, execute and delete capabilities; (3) GROUP having read and execute capabilities; and (4) WORLD having no access capabilities. Certain privileges can override all UIC-based and ACL protection. The operating system analyzes privileges included in the user's authorization record and places the user in one of seven categories depending on which privileges have been granted to the user. Default privileges are those authorized privileges that are automatically granted at login. If an authorized privilege is not a default privilege, it will not automatically be effective at login, and must be enabled or disabled by the user. All user entity personnel have NORMAL privileges. 16
21 DESCRIPTION OF THE SERVICE ORGANIZATION S SYSTEM Wireless access at MDECA is limited to web and services (intended for training purposes and MDECA guests). A wireless access point is set up with a Wi-Fi Protected Access (WPA) key. The user must enter the key in order to access the network. Access to specific packages is provided by granting the appropriate operating system identifiers to authorized users. Each application package has a set of unique identifiers that permit access to programs. In addition to the standard identifiers for each package, a pass through identifier can be used to further customize access. The OECN_SYSMAN identifier (defined by state software applications and consistent for all ITCs) and the BYPASS privilege (defined by the operating system) grant access to all application packages. The OECN_SYSMAN identifier or BYPASS privilege are used to grant users the same access to software functions without having to grant each individual identifier. The OECN_SYSMAN identifier and BYPASS privilege do not grant access to data. To limit access to security files, MDECA has limited WORLD access for the system file, which contains account information to identify which users are allowed access to accounts on the system; the proxy file, which contains proxy account information to identify which remote users are allowed access to proxy accounts on the system; and the rights file, which contains names of the reserved system identifiers and identifiers for each user. In addition, the MDECA does not have an alternate user authorization file that can be used in place of the original default user authorization file. The write and delete access capabilities are not activated for WORLD access to the files in the system directories. The UIC associated with each of these files is within the MAXSYSGROUP number. User entities have been set up with sub-networks that have addresses not recognizable to the Internet, known as private internal networks. Firewall equipment and additional routing devices deny all outbound traffic requests originating from the sub-network. In addition, the firewalls and routing devices deny access to the inbound traffic unless the IP address originated from inside the network. Instead, the requests are routed to a proxy server located in each network segment that serves to filter all Internet access. The Internet filter service retrieves requests from the Internet for the typical user. Permission to bypass the proxy server requires management authorization. The firewall and routers also prevent all outside connections from accessing inside hosts or servers, unless the IP address originated from inside the network. The firewalls have been configured for remote operation. Alteration of the configuration files requires that an individual know the proper IP address and a series of passwords before remote access is possible. Only a few MDECA staff has been provided the passwords for the firewalls. Alteration of the configuration files of the equipment is performed by the network/internet specialist. There is one CISCO PIX (Private Internet Exchange) Box between MDECA and the Internet. Additionally, a PaloAlto 5050 firewall, which is a layer 7 firewall provides anti-virus, threat prevention, intrusion detection and prevention and traffic shaping (all in real-time). Reports are received daily and reviewed daily. Adjustments are made to the appliance accordingly (e.g. block IPs, drop connections). This firewall sits between MDECA's network and the PIX. The computer room is located within the MDECA offices. The building is secured by two locked doors and an alarm system and is restricted to employees with an assigned access card. Additionally, four MDECA employees have been given the master code to unlock the doors should the need arise during normal business hours (arrival of large group trainings, etc.). Data processing personnel are present at all times should the doors be unlocked for brief periods of time during the normal work day. These outside doors remained locked during non-work hours as well as the alarm is set. The computer room area remains locked at all times and is secured by the card scan system which is part of the alarm system. The card access to this area is limited to the technical staff and administration. The building is secured throughout by motion detectors and monitoring (video and sound) by a third party vendor during non-business hours. 17
22 DESCRIPTION OF THE SERVICE ORGANIZATION S SYSTEM The following items assist in controlling the computer room to protect it from adverse environmental conditions: Fire protection system (heat ion removal). Halon fire extinguisher. Raised floor with water sensor devices. Heat alarm in the event the temperature exceeds preset level. Smoke detectors. Uninterrupted Power System (UPS) device for controlled electric and 2 ½ hours of battery backup for electrical outage. Generator and Automatic Transfer switch as alternate power source during prolonged electrical outage. All detection devices are connected to the alarm system thereby alerting alarm system personnel as necessary to access the video tracking and/or contact the MDECA. IT Operations Traditional computer operations procedures are minimal because users at the user entities initiate all application jobs and are primarily responsible for ensuring the timeliness and completeness of processing. All MDECA employees have a procedures manual, which provides directions and guidelines for most of the operational functions performed by the MDECA staff. They also have access to operations procedures manuals for the system. End users have access to the SSDT website that contains user and technical documentation for the applications. Specific support issues or questions can be communicated to the SSDT via helpdesk software. Solutions are communicated directly to MDECA staff. Global issues are posted to the SSDT support website. Certain routine batch jobs can be initiated at the MDECA for system maintenance. The MDECA is responsible for some operational tasks, including: system backups, log reports, and other maintenance directed at the system as a whole. The MDECA utilizes an automated application, SUBMITALL, which schedules and performs these tasks. This application continually submits jobs on the Alpha system. The manager of systems and operations monitors the system for hardware errors throughout the day using an operating system command. Using this command throughout the day, the manager of systems and operations, reviews the log for hardware errors. If an error is detected, the manager of systems and operations utilizes either DEC EVENT or ANALYZER to obtain details about the problem. If the problem cannot be resolved, HP will be contacted for system diagnosis. If necessary, a HP field technician will perform an on-site visit to resolve the problem. Common problems that arise daily, such as terminal lockups and program crashes, are usually handled by the MDECA service representatives over the phone and may not be documented if the problem was minor. However, most problems are still logged through a Work Order Log and filed by the manager of systems and operations. Changes to data requested by user entities are entered into the CA Unicenter statewide help desk. In addition to documented tracking through the help desk, any generated hard copy documentation pertaining to the request is filed according to the associated ticket number from the entry into the help desk. The MDECA has a hardware maintenance agreement with Service Express, Inc. for the system and a maintenance agreement with DataServ for the network including routers, network cards and other network peripherals. 18
Data Management Policies. Sage ERP Online
Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...
More informationPREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:
A SYSTEMS UNDERSTANDING A 1.0 Organization Objective: To ensure that the audit team has a clear understanding of the delineation of responsibilities for system administration and maintenance. A 1.1 Determine
More informationFIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.
1. Obtain previous workpapers/audit reports. FIREWALL CHECKLIST Pre Audit Checklist 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 3. Obtain current network diagrams
More informationConfiguration Information
This chapter describes some basic Email Security Gateway configuration settings, some of which can be set in the first-time Configuration Wizard. Other topics covered include Email Security interface navigation,
More informationSITECATALYST SECURITY
SITECATALYST SECURITY Ensuring the Security of Client Data June 6, 2008 Version 2.0 CHAPTER 1 1 Omniture Security The availability, integrity and confidentiality of client data is of paramount importance
More informationTom J. Hull & Company Type 1 SSAE 16 2014
Tom J. Hull & Company Type 1 SSAE 16 2014 REPORT ON MANAGEMENT S DESCRIPTION OF TOM J. HULL & COMPANY S SYSTEM AND THE SUITABILITY OF THE DESIGN OF CONTROLS Pursuant to Statement on Standards for Attestation
More informationLAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES
LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable
More informationDEPARTMENT OF MENTAL HEALTH POLICY/PROCEDURE
2 of 10 2.5 Failure to comply with this policy, in whole or in part, if grounds for disciplinary actions, up to and including discharge. ADMINISTRATIVE CONTROL 3.1 The CIO Bureau s Information Technology
More informationManagement Council of the Ohio Education Computer Network. IT Service Management Solution. Invitation to Qualify. October 8, 2012
Management Council of the Ohio Education Computer Network Invitation to Qualify IT Service Management Solution October 8, 2012 Responses are due by 4:00 pm on October 22, 2012 General Information The Management
More informationRetention & Destruction
Last Updated: March 28, 2014 This document sets forth the security policies and procedures for WealthEngine, Inc. ( WealthEngine or the Company ). A. Retention & Destruction Retention & Destruction of
More informationConfiguration Information
Configuration Information Email Security Gateway Version 7.7 This chapter describes some basic Email Security Gateway configuration settings, some of which can be set in the first-time Configuration Wizard.
More informationIT - General Controls Questionnaire
IT - General Controls Questionnaire Internal Control Questionnaire Question Yes No N/A Remarks G1. ACCESS CONTROLS Access controls are comprised of those policies and procedures that are designed to allow
More informationGFI White Paper PCI-DSS compliance and GFI Software products
White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption
More informationSupplier Information Security Addendum for GE Restricted Data
Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,
More informationAccess Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL
AU7087_C013.fm Page 173 Friday, April 28, 2006 9:45 AM 13 Access Control The Access Control clause is the second largest clause, containing 25 controls and 7 control objectives. This clause contains critical
More informationColumbus Police Division Directive. I. Definitions. May 15, 1993 10.01 REVISED. Division Computer Systems
Columbus Police Division Directive EFFECTIVE NUMBER May 15, 1993 10.01 REVISED TOTAL PAGES Mar. 30, 2014 9 Division Computer Systems I. Definitions A. Executable File A program or file that automatically
More informationHosted Testing and Grading
Hosted Testing and Grading Technical White Paper July 2014 www.lexmark.com Lexmark and Lexmark with diamond design are trademarks of Lexmark International, Inc., registered in the United States and/or
More informationSonicWALL PCI 1.1 Implementation Guide
Compliance SonicWALL PCI 1.1 Implementation Guide A PCI Implementation Guide for SonicWALL SonicOS Standard In conjunction with ControlCase, LLC (PCI Council Approved Auditor) SonicWall SonicOS Standard
More informationSRA International Managed Information Systems Internal Audit Report
SRA International Managed Information Systems Internal Audit Report Report #2014-03 June 18, 2014 Table of Contents Executive Summary... 3 Background Information... 4 Background... 4 Audit Objectives...
More informationInformation Technology Security Procedures
Information Technology Security Procedures Prepared By: Paul Athaide Date Prepared: Dec 1, 2010 Revised By: Paul Athaide Date Revised: September 20, 2012 Version 1.2 Contents 1. Policy Procedures... 3
More informationManaged Services Agreement. Hilliard Office Solutions, Ltd. PO Box 52510 Phone: 432-617-4677 Midland, Texas 79710 Fax: 432-617-3043
Managed Services Agreement Hilliard Office Solutions, Ltd. PO Box 52510 Phone: 432-617-4677 Midland, Texas 79710 Fax: 432-617-3043 SERVICE DESCRIPTIONS By purchasing these Services from Hilliard Office
More informationCentral Agency for Information Technology
Central Agency for Information Technology Kuwait National IT Governance Framework Information Security Agenda 1 Manage security policy 2 Information security management system procedure Agenda 3 Manage
More informationUSM IT Security Council Guide for Security Event Logging. Version 1.1
USM IT Security Council Guide for Security Event Logging Version 1.1 23 November 2010 1. General As outlined in the USM Security Guidelines, sections IV.3 and IV.4: IV.3. Institutions must maintain appropriate
More informationIBM Managed Security Services (Cloud Computing) hosted e-mail and Web security - express managed Web security
IBM Managed Security Services (Cloud Computing) hosted e-mail and Web security - express managed Web security INTC-8608-01 CE 12-2010 Page 1 of 8 Table of Contents 1. Scope of Services...3 2. Definitions...3
More information1. Describe the staffing levels maintained in the IT department (change titles as needed): K. Tollefsen/1
Page 1 of 14 Chabot-Las Positas Community College District Reference: T500 Information System Memo Prepared by: Jeannine Methe June 30, 2005 Date: 6/8/05 Reviewed by: Instructions: This memo is designed
More informationWindows Operating Systems. Basic Security
Windows Operating Systems Basic Security Objectives Explain Windows Operating System (OS) common configurations Recognize OS related threats Apply major steps in securing the OS Windows Operating System
More informationIT Security Procedure
IT Security Procedure 1. Purpose This Procedure outlines the process for appropriate security measures throughout the West Coast District Health Board (WCDHB) Information Systems. 2. Application This Procedure
More informationINLINE INGUARD E-MAIL GUARDIAN
INLINE INGUARD E-MAIL GUARDIAN Activation Guide December 8, 2008 600 Lakeshore Parkway, AL 35209 888.3InLine support@inline.com 1 InLine InGuard E-Mail Guardian Activation Guide The InLine InGuard E-Mail
More informationPayment Card Industry Self-Assessment Questionnaire
How to Complete the Questionnaire The questionnaire is divided into six sections. Each section focuses on a specific area of security, based on the requirements included in the PCI Data Security Standard.
More informationBest Practices For Department Server and Enterprise System Checklist
Best Practices For Department Server and Enterprise System Checklist INSTRUCTIONS Information Best Practices are guidelines used to ensure an adequate level of protection for Information Technology (IT)
More informationApproved 12/14/11. FIREWALL POLICY INTERNAL USE ONLY Page 2
Texas Wesleyan Firewall Policy Purpose... 1 Scope... 1 Specific Requirements... 1 PURPOSE Firewalls are an essential component of the Texas Wesleyan information systems security infrastructure. Firewalls
More informationUniversity System of Maryland University of Maryland, College Park Division of Information Technology
Audit Report University System of Maryland University of Maryland, College Park Division of Information Technology December 2014 OFFICE OF LEGISLATIVE AUDITS DEPARTMENT OF LEGISLATIVE SERVICES MARYLAND
More informationHIPAA Security COMPLIANCE Checklist For Employers
Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major
More informationSOC 2 Report Seattle, WA (SEF)
SOC 2 Report Seattle, WA (SEF) October 1, 2013 January 31, 2014 Independent Service Auditor s Report INTERNAP NETWORK SERVICES CORPORATION Company-Controlled Data Center Services Type 2 Report on Controls
More informationRSA Authentication Manager 7.1 Security Best Practices Guide. Version 2
RSA Authentication Manager 7.1 Security Best Practices Guide Version 2 Contact Information Go to the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com. Trademarks
More informationIT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
More informationDid you know your security solution can help with PCI compliance too?
Did you know your security solution can help with PCI compliance too? High-profile data losses have led to increasingly complex and evolving regulations. Any organization or retailer that accepts payment
More informationHosted Exchange. Security Overview. Learn More: Call us at 877.634.2728. www.megapath.com
Security Overview Learn More: Call us at 877.634.2728. www.megapath.com Secure and Reliable Hosted Exchange Our Hosted Exchange service is delivered across an advanced network infrastructure, built on
More informationSophos for Microsoft SharePoint startup guide
Sophos for Microsoft SharePoint startup guide Product version: 2.0 Document date: March 2011 Contents 1 About this guide...3 2 About Sophos for Microsoft SharePoint...3 3 System requirements...3 4 Planning
More informationControls for the Credit Card Environment Edit Date: May 17, 2007
Controls for the Credit Card Environment Edit Date: May 17, 2007 Status: Approved in concept by Executive Staff 5/15/07 This document contains policies, standards, and procedures for securing all credit
More informationRL Solutions Hosting Service Level Agreement
RL Solutions Hosting Service Level Agreement April 2012 Table of Contents I. Context and Scope... 1 II. Defined Terms... 1 III. RL Solutions Responsibilities... 2 IV. Client Responsibilities... 4 V. The
More informationThe Practice of Internal Controls. Cornell Municipal Clerks School July 16, 2014
The Practice of Internal Controls Cornell Municipal Clerks School July 16, 2014 Page 1 July 18, 2014 Cash Receipts (Collection procedures) Centralize cash collections within a department or for the local
More informationSUPPLIER SECURITY STANDARD
SUPPLIER SECURITY STANDARD OWNER: LEVEL 3 COMMUNICATIONS AUTHOR: LEVEL 3 GLOBAL SECURITY AUTHORIZER: DALE DREW, CSO CURRENT RELEASE: 12/09/2014 Purpose: The purpose of this Level 3 Supplier Security Standard
More informationGuideline on Auditing and Log Management
CMSGu2012-05 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Auditing and Log Management National Computer Board Mauritius
More informationOSU INSTITUTE OF TECHNOLOGY POLICY & PROCEDURES
Network Security 6-005 INFORMATION TECHNOLOGIES July 2013 INTRODUCTION 1.01 OSU Institute of Technology (OSUIT) s network exists to facilitate the education, research, administration, communication, and
More informationRemote Deposit Terms of Use and Procedures
Remote Deposit Terms of Use and Procedures Use of American National Bank Fox Cities (Bank) Remote Deposit service is subject to the following Terms of Use and Procedures. Bank reserves the right to update
More informationReport of Independent Auditors
Ernst & Young LLP Suite 3300 370 17th Street Denver, Colorado 80202-5663 Tel: +1 720 931 4000 Fax: +1 720 931 4444 www.ey.com Report of Independent Auditors To the Management of NTT America, Inc.: We have
More informationHOSTING SERVICES AGREEMENT
HOSTING SERVICES AGREEMENT 1 Introduction 1.1 Usage. This Schedule is an addition to and forms an integral part of the General Terms and Conditions, hereafter referred as the "Main Agreement". This Schedule
More informationINFORMATION SECURITY PROGRAM
Approved 1/30/15 by Dr. MaryLou Apple, President MSCC Policy No. 1:08:00:02 MSCC Gramm-Leach-Bliley INFORMATION SECURITY PROGRAM January, 2015 Version 1 Table of Contents A. Introduction Page 1 B. Security
More informationNewcastle University Information Security Procedures Version 3
Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations
More informationby New Media Solutions 37 Walnut Street Wellesley, MA 02481 p 781-235-0128 f 781-235-9408 www.avitage.com Avitage IT Infrastructure Security Document
Avitage IT Infrastructure Security Document The purpose of this document is to detail the IT infrastructure security policies that are in place for the software and services that are hosted by Avitage.
More informationSERVICE LEVEL AGREEMENT
This Service Level Agreement ( SLA ) applies to and governs such Gabian Technology and its partners SharePoint, Web Hosting, Virtual Private Server, Exchange Hosting, Advisor Earnings, Email Archive, CRM
More informationSERVICE SCHEDULE INFRASTRUCTURE AND PLATFORM SERVICES
SERVICE SCHEDULE INFRASTRUCTURE AND PLATFORM SERVICES This Product Schedule Terms & Conditions is incorporated into a Services Agreement also comprising the General Terms and Conditions which the Customer
More informationSecurity Policy JUNE 1, 2012. SalesNOW. Security Policy v.1.4 2012-06-01. v.1.4 2012-06-01 1
JUNE 1, 2012 SalesNOW Security Policy v.1.4 2012-06-01 v.1.4 2012-06-01 1 Overview Interchange Solutions Inc. (Interchange) is the proud maker of SalesNOW. Interchange understands that your trust in us
More informationDETAIL AUDIT PROGRAM Information Systems General Controls Review
Contributed 4/23/99 by Steve_Parker/TBE/Teledyne@teledyne.com DETAIL AUDIT PROGRAM Information Systems General Controls Review 1.0 Introduction The objectives of this audit are to review policies, procedures,
More informationDetermine if the expectations/goals/strategies of the firewall have been identified and are sound.
Firewall Documentation Develop background information about the firewall(s) in place: Segment diagrams Software Hardware Routers Version levels Host names IP addresses Connections Specific policies for
More informationWorkflow Templates Library
Workflow s Library Table of Contents Intro... 2 Active Directory... 3 Application... 5 Cisco... 7 Database... 8 Excel Automation... 9 Files and Folders... 10 FTP Tasks... 13 Incident Management... 14 Security
More informationFIREWALL POLICY November 2006 TNS POL - 008
FIREWALL POLICY November 2006 TNS POL - 008 Introduction Network Security Services (NSS), a department of Technology and Network Services, operates a firewall to enhance security between the Internet and
More informationStone Vault, LLC SOC 1 (SSAE NO. 16) TYPE 1 REPORT ON CONTROLS PLACED IN OPERATION FOR TAX RETURN AND FINANCIAL STATEMENT PORTAL SERVICES
SOC 1 (SSAE NO. 16) TYPE 1 REPORT ON CONTROLS PLACED IN OPERATION FOR TAX RETURN AND FINANCIAL STATEMENT PORTAL SERVICES Stone Vault, LLC JANUARY 31, 2013 STONE VAULT, LLC Table of Contents SECTION 1:
More informationUsing Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4
WHITEPAPER Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 An in-depth look at Payment Card Industry Data Security Standard Requirements 10, 11,
More informationOFFICE OF THE STATE AUDITOR General Controls Review Questionnaire
OFFICE OF THE STATE AUDITOR Agency: * University Please answer all of the following questions. Where we ask for copies of policies and procedures and other documentation, we would prefer this in electronic
More informationAyla Networks, Inc. SOC 3 SysTrust 2015
Ayla Networks, Inc. SOC 3 SysTrust 2015 SOC 3 SYSTRUST FOR SERVICE ORGANIZATIONS REPORT July 1, 2015 To December 31, 2015 Table of Contents SECTION 1 INDEPENDENT SERVICE AUDITOR S REPORT... 2 SECTION 2
More informationCopyright 2011 Sophos Ltd. Copyright strictly reserved. These materials are not to be reproduced, either in whole or in part, without permissions.
PureMessage for Microsoft Exchange protects Microsoft Exchange servers and Windows gateways against email borne threats such as from spam, phishing, viruses, spyware. In addition, it controls information
More informationAuburn Montgomery. Registration and Security Policy for AUM Servers
Auburn Montgomery Title: Responsible Office: Registration and Security Policy for AUM Servers Information Technology Services I. PURPOSE To outline the steps required to register and maintain departmental
More informationSERVICE LEVEL AGREEMENT
SERVICE LEVEL AGREEMENT This service level agreement ( SLA ) is incorporated into the master services agreement ( MSA ) and applies to all services delivered to customers. This SLA does not apply to the
More informationBest Practices Report
Overview As an IT leader within your organization, you face new challenges every day from managing user requirements and operational needs to the burden of IT Compliance. Developing a strong IT general
More information1 Purpose... 2. 2 Scope... 2. 3 Roles and Responsibilities... 2. 4 Physical & Environmental Security... 3. 5 Access Control to the Network...
Contents 1 Purpose... 2 2 Scope... 2 3 Roles and Responsibilities... 2 4 Physical & Environmental Security... 3 5 Access Control to the Network... 3 6 Firewall Standards... 4 7 Wired network... 5 8 Wireless
More informationServer Installation, Administration and Integration Guide
Server Installation, Administration and Integration Guide Version 1.1 Last updated October 2015 2015 sitehelpdesk.com, all rights reserved TABLE OF CONTENTS 1 Introduction to WMI... 2 About Windows Management
More informationIT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results
Acquire or develop application systems software Controls provide reasonable assurance that application and system software is acquired or developed that effectively supports financial reporting requirements.
More informationAchieving PCI-Compliance through Cyberoam
White paper Achieving PCI-Compliance through Cyberoam The Payment Card Industry (PCI) Data Security Standard (DSS) aims to assure cardholders that their card details are safe and secure when their debit
More informationSupplier IT Security Guide
Revision Date: 28 November 2012 TABLE OF CONTENT 1. INTRODUCTION... 3 2. PURPOSE... 3 3. GENERAL ACCESS REQUIREMENTS... 3 4. SECURITY RULES FOR SUPPLIER WORKPLACES AT AN INFINEON LOCATION... 3 5. DATA
More informationTEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL
TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL Title: Computer and Network Security Policy Policy Number: 04.72.12 Effective Date: November 4, 2003 Issuing Authority: Office of the Vice President for
More informationTop Three POS System Vulnerabilities Identified to Promote Data Security Awareness
CISP BULLETIN Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness November 21, 2006 To support compliance with the Cardholder Information Security Program (CISP), Visa USA
More informationBlackBerry Enterprise Service 10. Universal Device Service Version: 10.2. Administration Guide
BlackBerry Enterprise Service 10 Universal Service Version: 10.2 Administration Guide Published: 2015-02-24 SWD-20150223125016631 Contents 1 Introduction...9 About this guide...10 What is BlackBerry
More informationNetwork Detective. HIPAA Compliance Module. 2015 RapidFire Tools, Inc. All rights reserved V20150201
Network Detective 2015 RapidFire Tools, Inc. All rights reserved V20150201 Contents Purpose of this Guide... 3 About Network Detective... 3 Overview... 4 Creating a Site... 5 Starting a HIPAA Assessment...
More informationGE Measurement & Control. Cyber Security for NEI 08-09
GE Measurement & Control Cyber Security for NEI 08-09 Contents Cyber Security for NEI 08-09...3 Cyber Security Solution Support for NEI 08-09...3 1.0 Access Contols...4 2.0 Audit And Accountability...4
More informationKASPERSKY LAB. Kaspersky Administration Kit version 6.0. Administrator s manual
KASPERSKY LAB Kaspersky Administration Kit version 6.0 Administrator s manual KASPERSKY ADMINISTRATION KIT VERSION 6.0 Administrator s manual Kaspersky Lab Visit our website: http://www.kaspersky.com/
More informationSPRINT MANAGED SECURITY SERVICES PRODUCT ANNEX
SPRINT MANAGED SECURITY SERVICES PRODUCT ANNEX The following terms and conditions, together with the Sprint Master or Custom Services Agreement or Domestic Sprint Services Sales Application Form ("Agreement"),
More informationAPPENDIX 3 TO SCHEDULE 3.3 SECURITY SERVICES SOW
EHIBIT H to Amendment No. 60 APPENDI 3 TO SCHEDULE 3.3 TO THE COMPREHENSIVE INFRASTRUCTURE AGREEMENT SECURITY SERVICES SOW EHIBIT H to Amendment No. 60 Table of Contents 1.0 Security Services Overview
More informationAutomate PCI Compliance Monitoring, Investigation & Reporting
Automate PCI Compliance Monitoring, Investigation & Reporting Reducing Business Risk Standards and compliance are all about implementing procedures and technologies that reduce business risk and efficiently
More informationOracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0
Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0 Unless otherwise stated, these Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies
More informationInformation Technology Cyber Security Policy
Information Technology Cyber Security Policy (Insert Name of Organization) SAMPLE TEMPLATE Organizations are encouraged to develop their own policy and procedures from the information enclosed. Please
More informationNERC CIP Whitepaper How Endian Solutions Can Help With Compliance
NERC CIP Whitepaper How Endian Solutions Can Help With Compliance Introduction Critical infrastructure is the backbone of any nations fundamental economic and societal well being. Like any business, in
More informationHow To Control Vcloud Air From A Microsoft Vcloud 1.1.1 (Vcloud)
SOC 1 Control Objectives/Activities Matrix goes to great lengths to ensure the security and availability of vcloud Air services. In this effort, we have undergone a variety of industry standard audits,
More informationINFORMATION TECHNOLOGY MANAGEMENT CONTENTS. CHAPTER C RISKS 357-7 8. Risk Assessment 357-7
Information Technology Management Page 357-1 INFORMATION TECHNOLOGY MANAGEMENT CONTENTS CHAPTER A GENERAL 357-3 1. Introduction 357-3 2. Applicability 357-3 CHAPTER B SUPERVISION AND MANAGEMENT 357-4 3.
More informationPierce County Policy on Computer Use and Information Systems
Pierce County Policy on Computer Use and Information Systems Pierce County provides a variety of information technology resources such as computers, software, printers, scanners, copiers, electronic mail
More informationCollege of Education Computer Network Security Policy
Introduction The College of Education Network Security Policy provides the operational detail required for the successful implementation of a safe and efficient computer network environment for the College
More information74% 96 Action Items. Compliance
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated
More informationInformation Technology Internal Controls Part 2
IT Controls Webinar Series Information Technology Internal Controls Part 2 Presented by the Arizona Office of the Auditor General October 23, 2014 Part I Overview of IT Controls and Best Practices Part
More informationInformation Technology General Controls Review (ITGC) Audit Program Prepared by:
Information Technology General Controls Review (ITGC) Audit Program Date Prepared: 2012 Internal Audit Work Plan Objective: IT General Controls (ITGC) address the overall operation and activities of the
More informationHIPAA Security Alert
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
More informationSystem and Network Security Policy Internet User Guidelines and Policy. North Coast Council. 5700 West Canal Road Valley View, Ohio 44125
North Coast Council 5700 West Canal Road Valley View, Ohio 44125 Telephone: 216-520-6900 Fax: 216-520-6969 1885 Lake Avenue Elyria, Ohio 44035 Telephone: 440-324-3185 Fax: 440-324-7355 URL: www.nccohio.org
More informationInformation security controls. Briefing for clients on Experian information security controls
Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face
More informationOngoing Help Desk Management Plan
Ongoing Help Desk Management Plan HELP DESK IMPLEMENTATION /MANAGEMENT The Vendor shall provide in its Response to DIR a Help Desk Implementation Plan which shall include, but not be limited to: a. Customer
More informationSWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE
SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the specific
More informationLocking down a Hitachi ID Suite server
Locking down a Hitachi ID Suite server 2016 Hitachi ID Systems, Inc. All rights reserved. Organizations deploying Hitachi ID Identity and Access Management Suite need to understand how to secure its runtime
More informationConsensus Policy Resource Community. Lab Security Policy
Lab Security Policy Free Use Disclaimer: This policy was created by or for the SANS Institute for the Internet community. All or parts of this policy can be freely used for your organization. There is
More informationEstate Agents Authority
INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in
More informationFireSIGHT User Agent Configuration Guide
Version 2.2 August 20, 2015 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL
More informationTk20 Network Infrastructure
Tk20 Network Infrastructure Tk20 Network Infrastructure Table of Contents Overview... 4 Physical Layout... 4 Air Conditioning:... 4 Backup Power:... 4 Personnel Security:... 4 Fire Prevention and Suppression:...
More information