OFFICE OF THE STATE AUDITOR General Controls Review Questionnaire

Transcription

1 OFFICE OF THE STATE AUDITOR Agency: * University Please answer all of the following questions. Where we ask for copies of policies and procedures and other documentation, we would prefer this in electronic format if possible. For questions, which require more clarification, notify us and we will explain the information to you. Please do not wait until you complete the entire questionnaire before submitting your responses to us. As you complete each section, forward this information to us so we can begin our review. On all attachments, please indicate the source, or person submitting the information provided in the event we have to follow up with further questions. We would request that all questions be completed by, If you have any additional questions, please contact Michael Burch at (919) or at Michael_Burch@ncauditor.net. General Issues 1. Please provide us with a description of your computer systems, including: Processor Operating System (including version) Security Software (including version) Major application systems and major user department for application, including a user contact person for each application. 2. Describe any non-mainframe systems under the control of the Information Systems (IS) Department, such as a PC-based Cashiering System or One-Card System. Describe the application, the major user department with contact person, how does the system interface with the mainframe application systems. Describe the computer system on which the application runs. 3. Describe any other department performing information system functions (programming, or processing) or have their own servers. Examples would be standalone system for the Cashier's Office, One-Card Office, and Bookstore. Please describe the application, computer system on which it runs, and any interface with the mainframe applications. Provide us with the name and phone number of the responsible person in the department. 4. Describe any major changes in the data processing environment for the agency in the past five years. 5. Provide an organizational chart for the agency, showing the reporting responsibilities for the IS Department and Internal Audit Function. Provide an organizational chart for the IS Department showing responsibilities and reporting relationships. Provide staff names for each position.

2 OFFICE OF THE STATE AUDITOR Agency: * 6. Provide name, title, phone numbers, addresses, work schedules for each key staff member. For key personnel provide planned scheduled vacation and time off for the next two months. Provide the user ids for key personnel. 7. Define the privileged user ids for the system. Describe the function the person with these ids perform and the reason for the privileges given. 8. Provide training and conferences attended by each staff member during the past year and plans attendance for the next year. 9. Has the internal auditor performed any type of IS audit. If so, please provide us a copy of the report and current status of findings and recommendations. Also, provide us the name and phone number of the internal auditor. 10. Has there been any independent audits or reviews performed for any data processing application or computer system. If so, describe who performed the audit or review and provide a copy of the report. Also, provide the current status of any audit finding and recommendations. 11. Provide a description of the security function. Who defines security policies and procedures? Who performs various security related functions such as approving users' access levels, granting access rights, resetting user ids and passwords, monitoring users system activities, monitoring intrusion attempts, and reviewing security activities. Who performs application level security such as FRS, SIS, and HRS and for any non-mainframe applications such as the One-Card System? General Security Issues 1. Please provide us with your policies regarding external access by other organizations or individuals outside the agency. i.e., vendors, contractors, etc. 2. Do you have a security education program for staff and end users? If so, please provide us a copy of the documentation. Access Control 1. What access control software do you use to protect your critical applications and sensitive information? 2. Do you have a policy regarding ownership of application systems data files? 3. Please provide us with a copy of your information security policies and procedures.

3 OFFICE OF THE STATE AUDITOR Agency: * University 4. Do you have program library policies and procedures? If so, do you have separate libraries for (1) development, (2) test, and (3) production programs? 5. What are the names of your development, test and production source and object libraries? 6. What is your file naming convention? 7. Are all users personally identified when they log on to the network, not through group or terminal identifiers? 8. What are your policies and procedures for passwords? Minimum and Maximum length for passwords? Are null passwords allowed? How often does the system forces password changes? Are there any passwords set to never expire? If so, why? How many password history versions are maintained? How many unsuccessful attempts are allowed before intrusion detection is activated? Is the user id inactivated after a defined number of unsuccessful logon attempts? Is anyone notified of possible intrusion attempts? If so, what are the policies and procedures followed if a possible intrusion attempt is detected? 9. Does the software log and report all attempted security violations? If so, who is responsible for monitoring and responding to attempted security violations? Program Security 1. Provide us with the access rights for all persons who have read, write, or execute access for the application program libraries. Be sure to include default access rights granted to all users. 2. Do you maintain logs on user access to the application program libraries?

4 OFFICE OF THE STATE AUDITOR Agency: * Systems Development 1. Please provide us with your most current information systems strategic plan. 2. Have you adopted a systems development methodology? If so, provide us with a copy of the methodology used. 3. Please provide us with your documentation standards. 4. Are there mandatory project management policies and procedures for each large project? If so, please provide us with a copy. Program Maintenance 1. Do you have any program change policies and procedures? If so, please briefly describe or provide us with these policies and procedures. 2. Are proposed program changes are requested in writing, approved by the user department, approved by the program maintenance department, assigned to a programmer, and classified as major, minor or emergency? 3. Are program changes tested, approved, and documented? 4. Are changes reviewed and approved by both user and information systems department management? Is approval documented? 5. Do procedures ensure that system; program, operations and user documentation is updated as needed for program changes? 6. Is there a streamlined set of the above procedures for minor changes, such as program fixes? 7. What procedures ensure that only authorized program changes are moved into the production libraries? 8. Who moves the modified programs into production? Does someone other than the programmer moves programs into production. If no, is there any logging and monitoring of the programmers' activities for the production libraries?

5 OFFICE OF THE STATE AUDITOR Agency: * University If a person other than the programmer moves the program into production, does the person who moves the source program, recompiles it, and moves the new object code into the production library. 9. There is an alternate set of procedures for emergency changes, such as system crashes during peak processing periods. If so, describe the difference. 10. Do you use library management software to control the movement of programs between production and test libraries? Physical Security 1. Have you recently performed a formal vulnerability or risk assessment? If so, please provide us with the assessment documents. 2. Are there fire and smoke detectors located in (a) the computer room, (b) the tape library, (c) supply storage areas, (d) rooms adjacent to the computer room, (e) heating and air conditioning vents, and (f) under raised floors? If so, how often are they tested? 3. Do the fire and smoke detectors, and other alarms automatically notify the center management, security group, or the local police and fire departments? 4. Is fire fighting equipment, such as fire extinguishers, readily accessible throughout the center? Does the computer room contain water sprinklers? 5. Is the center protected from environmental hazards such as water damage, heat and humidity? 6. Is the center protected from electrical power fluctuations and outages? 7. Are the computer areas (computer room, tape library, supply storage rooms, and other rooms adjacent to the computer room) properly restricted to personnel with assigned duties in those locations? 8. Do employees receive training and instructions concerning emergency procedures?

6 OFFICE OF THE STATE AUDITOR Agency: * Operations Procedures 1. What type of training do the production control technicians and computer operators receive? 2. What type of automated operations software does the center use? 3. Please describe or provide us with a copy of the operator job handling procedures? 4. Do the procedures ensure: a) All production jobs are authorized and requested by users. b) Jobs are scheduled to ensure that they are run, and run in the proper sequence. c) All production jobs are accounted for through a review of scheduled jobs. 5. Do you have a tape librarian and an automated tape inventory system? 6. Does your operating system or the tape management system check tape names at the beginning of processing? 7. Do you have a help desk function? What are their responsibilities? Systems Software 1. Who is responsible for maintaining the systems software within the center? 2. Please provide us with a copy of the center's systems software maintenance and documentation standards. 3. Please provide us with a list of recently installed upgrades or changes. 4. Do you have a method of documenting and resolving systems software problems detected during testing or operations? 5. Do you maintain any user written software or local code to supplement the vendor supplied systems software? If so, are there policies that restrict the use of local code as much as possible, and procedures to develop, test and maintain local code?

7 OFFICE OF THE STATE AUDITOR Agency: * University 6. Do you have policies to ensure application systems are compatible with expected versions of systems software? If so, please provide us a copy of the policies. Telecommunications 1. Please provide us with a copy of the center's most recent network diagrams. 2. Has the center performed a risk assessment to identify sensitive data on the network or high-risk users of the network? If so, please provide us a copy of the assessment. 3. Does the communications equipment ensure that transmissions are complete and accurate? 4. Does the computer center have dial-in users connecting directly to the mainframe or network servers? If so, what procedures are used to confirm the identity of dial-in users? 5. Does the network routing scheme assign addresses and maintain its routers to support the correct routing of information? 6. Do you use network encryption practices? Do you maintain public key directories? 7. What network management software do you use? Is it restricted to persons who need it to perform their job duties? If so, how?

8 OFFICE OF THE STATE AUDITOR Agency: * Disaster Recovery Planning 1. What is the current backup schedule for data files, application programs, and system software. Are the backup tapes taken off-site? If so, what is the off-site schedule? 2. Please provide us with a copy of the backup policies and procedures. Do these policies and procedures cover critical data and applications on standalone systems and for systems not under the control of Information Systems Department.? 3. Please provide us with a copy of your disaster recovery plan.