General Computer Controls
|
|
- Donald Horton
- 8 years ago
- Views:
Transcription
1 1 General Computer Controls Governmental Unit: University of Mississippi Financial Statement Date: June 30, 2007 Prepared by: Robin Miller and Kathy Gates Date: 6/29/2007 Description of computer systems and LANs in use (hardware and software). (It may be appropriate to complete a separate form for LANs.) [ ] Instructions: CRI will need to gain an understanding of the different processes that are dependent on the general computer system and the related controls that ensure the integrity of the computer output. Computer general control activities relate to information technology personnel and operations as a group rather than directly to specific financial statement assertions. Therefore, the letter P or S appears in the column next to each control activity to indicate whether it is to be a primary control ( P ) or a secondary control ( S ). This form is designed for either an in-house system or computer service organization. However, completion of this form is unnecessary for service centers if there is a suitable service auditor s report on the service organization s internal controls. Please complete this form for EACH of the systems used by the University and provide policies and procedures, organizational charts, narratives, and any other information that will be helpful in our understanding. 1. Organization controls tested through inquiry and observation a. The information technology (IT) department is independent of the departments it serves. b. IT personnel are prohibited from initiating or authorizing transactions. c. IT personnel are prohibited from initiating changes to master files. i. In circumstances when master file changes are made by IT personnel, appropriate procedures are followed to control the changes. d. Departments that initiate master file changes are given a report showing the changes that were made. e. Appropriate procedures are followed when IT personnel make corrections to errors in data files or applications. f. There is separation of duties between programmers, system administrators, and users. Procedures require requesting entity to identify and authorize May be necessary under extreme circumstances to resolve a critical issue S N/A SAP is a real-time transactional ERP. Areas of responsibility/usage clearly defined
2 2 g. The duties of IT personnel are rotated periodically. Typically on a biannual basis and as new systems/applications are deployed h. IT personnel are required to take annual vacations of at least one continuous week. N This is encouraged but not required i. During the vacationing personnel s absence, their duties are performed by other personnel. i. If there is an internal audit function, the internal auditors report to the audit committee on whether the computerized accounting applications are designed and operated to produce information that can be used to prepare financial statements that accurately represent the client s financial condition and results of operations. 2. Access controls tested through inquiry, observation, or document inspection. (If the entity has more than one computer system or a LAN, this section of the form should be completed for each system or LAN. To do so, a copy can be made and completed for each system or LAN.) Secondary and tertiary duties are assigned based on staffing S N/A a. One employee is assigned the responsibility for IT security. While IT has a named Security Coordinator there are various security responsibilities assigned throughout IT b. There are adequate physical controls to ensure that access to computer facilities is restricted to authorized personnel. c. Programmers are restricted from access to applications in live operation, job control language, and live data files. d. Procedures are in place to prevent testing of new or revised applications on live data files. e. Software users are prohibited from having access to source code, the compiler, and programming documentation. f. Access to application processing parameter databases or table files is restricted to authorized personnel, and changes to those files are adequately reviewed. g. Software utilities that can alter data or applications are adequately controlled and their usage is logged for subsequent management review. h. Access control software is used for terminals and workstations so that A proximity card system is used to control access. As applicable Test systems are in place for all major functions System audit features capture all changes
3 3 i. Access is limited to specified persons. As applicable via ACL s, firewall settings, client software/accounts ii. Individuals have access only to those applications or files that are necessary to perform their duties. Based on internal authorization roles i. If passwords are used to control terminal or workstation access: i. Procedures are established to determine that those passwords are confidential and unique. Requirements set, crackers used ii. Passwords are changed at regular intervals. Every 90 days iii. Passwords are promptly canceled for terminated employees. j. Regarding IT personnel who are terminated: i. They are released from sensitive duties immediately. ii. Their access to the IT system is suspended immediately. iii. Their actions are appropriately supervised until their departure from the premises. k. There are procedures to prevent remote access to the network through dial-up, Internet, or Virtual Private Network (for example, dial-back, polling lists, user ID, or passwords). l. If confidential or sensitive information is transmitted through public carrier networks (for example, by leased line), protection methods are used to prevent or detect unauthorized access, either through carrier security methods or independent methods (for example, encryption methods). m. For internal network traffic, procedures that are commensurate with data traffic sensitivity are in place to provide security over transmissions across the network. n. Intrusion detection systems are in place on the internal network to monitor the network. o. All data has been classified and appropriate risk ranking has been established that will support and provide evidence for the use of implemented network security controls. p. For centralized data centers, there are appropriate controls over access to system administrator instruction manuals. Daily updates supplied VPN/dial up requires managed account VPN and/or SSL is employed Client encryption S N Commercial IDS is not installed. Several local procedures are in place to monitor and react to any issues Data pools are identified and risk factors noted Physically secured
4 4 q. For decentralized, distributed client server systems, there are appropriate education, training, and support materials available for the system administrator and security administrator over the servers. 3. Application development controls tested through inquiry, observation, or document inspection. (If the entity has more than one computing platform, such as mainframe and LAN, this section of the form should be completed for each platform. To do so, a copy of this section can be made and completed for each platform.) The following control activities apply to all key applications, both those developed in-house and those purchased from third-party vendors. a. There are established procedures for development of new applications, as well as modifications of existing applications. i. Approval is required and obtained for development of new applications or programs, or for modifications of existing ones. b. Application development procedures give adequate consideration to development of adequate control features for the new or modified applications. c. Application development procedures require active involvement by the users (and internal audit, if applicable). d. Formal testing procedures have been established to check the functioning of new applications and modifications of existing applications (including testing of modifications made by vendors to purchased software). e. During the testing phase, the user group (or the personnel who will run the system for the user group) tests the application as a complete product, and performs testing under conditions similar to those in which the application or system is expected to be run. f. There are formal standards and procedures for documentation of new applications as well as modifications of existing applications. If managed by IT See IT Work Request linked from Project life cycles include phases for testing/implementing authorizations. Absolutely. The SAP Support Desk coordinates testing and roll-out. Functional users are invited to the IT or SAP training lab where they test application functionality. A typical project will include two or three of these sessions.
5 5 g. Procedures are in place to prevent unauthorized changes to applications, preferably as part of the entity s system development life cycle methodology. h. There are controls over the movement of new or modified code from development to testing and to the live operating environment. 4. System software controls tested through inquiry, observation, or document inspection. (System software includes the operating system, database management systems, telecommunications software, security software, utility software, file management systems, library management packages, compilers, sorts, job control software, and time-sharing software.) a. If entity personnel have the technical expertise and tools to develop or modify system software: i. Those personnel are prevented from having a detailed understanding of related applications and user controls over key files and transactions. ii. Those personnel are appropriately supervised. iii. The entity has controls over system software like those for application development in place (Items 3.a. h.). iv. Changes to the system software are reviewed and approved before moving them into the live operations environment. v. Changes to the system software are tested before moving them into the live operations environment. vi. Key system software parameters are periodically reviewed to ensure adequate use and governance of system resources and processing. vii. Maintenance and emergency software patches are installed and kept up to date per vendor specifications. 5. Operational controls tested through inquiry and document inspection. (If the entity has more than one computing platform, such as mainframe and LAN, this section of the form should be completed for each platform. To do so, a copy of this section can be made and completed for each platform.) The SAP landscape includes a sophisticated transport system that moves changes in a controlled manner across three systems: development, testing and production. Units are focused on defined segments Continuous monitoring of system resource usage/allocation though online tools Quarterly cycle for maintenance patches
6 6 a. Schedules are prepared and followed for processing of computer applications. b. Changes to work schedules are appropriately authorized and communicated to affected parties. c. Automated or manual logs are used to record system administrator activities and i. There are controls to ensure the completeness and accuracy of the logs. Via online calendar tracking ii. The logs are reviewed by appropriate supervisory As applicable personnel, and unusual entries are appropriately investigated. d. System administrators are required to report system failures, Maintained via call tracking system restart and recovery, or other unusual incidents, and those reports are reviewed by an appropriate official. e. System administrator instruction manuals (in the form of a printed manual or instructions that can be accessed on line) are available to each system administrator. f. System administrator instruction manuals contain the following: i. Setup of batch jobs and loading of operating systems or software (including applicable control statements or parameters used in processing). ii. Hardware components and data files to be used. iii. Input and output media to be used. iv. Termination of applications. v. Instructions on actions to be taken (such as rerun or restart procedures) if a process fails to operate properly. g. There are appropriate procedures to monitor system administrator compliance with prescribed operating procedures. h. There are appropriate procedures for back-up and storage of applications and data files. i. There is a documented background screening of IT personnel. HR Function j. Periodic security briefings are provided for IT personnel.
7 7 k. There are appropriate procedures to prevent test versions of applications from being run on live operating data and to control such tests when it is necessary to run them. l. In circumstances when system administrators must initiate input of data, procedures exist to allow the system administrators to determine whether the input is properly authorized. m. There are appropriate controls such as the following for situations when outside third parties (such as vendors from whom application or system software is licensed) are permitted to sign on to the client s system, for example, to perform problem determination and resolution procedures: i. The vendor must specifically request the client s authorization and a user ID and password (ideally a onetime use password) to sign on to the client s system. ii. The vendor must ask the client to turn on an activation switch that permits access to the system. iii. The client s procedures call for the client to call back vendors who initiate a request for access to the client s system to verify the identity and authority of the caller. 6. Disaster recovery/contingency planning tested through inquiry and observation a. Off-premises storage is maintained for: i. Master files and transaction files sufficient to recreate the current master files. Transport system employed for control This can be done electronically ii. Applications and related documentation. As applicable. Most applications and documentation are available from the vendor online. iii. Copies of the contingency plans. b. Contingency plans have been developed for alternative processing in the event of loss or interruption of the IT function. c. If contingency plans have been developed, the plans have S N been tested for adequacy in the event of a disaster. d. Copies of the backup files for the following are periodically tested to make certain that they are usable: i. Software copies. S N Only for restore purposes
8 8 ii. Master files. S N Only for restore purposes iii. Transaction or transaction history files. S N Only for restore purposes
CHAPTER 11 COMPUTER SYSTEMS INFORMATION TECHNOLOGY SERVICES CONTROLS
11-1 CHAPTER 11 COMPUTER SYSTEMS INFORMATION TECHNOLOGY SERVICES CONTROLS INTRODUCTION The State Board of Accounts, in accordance with State statutes and the Statements on Auditing Standards Numbers 78
More informationFORM 20A.9 SAMPLE AUDIT PROGRAM FOR TESTING IT CONTROLS. Date(s) Completed. Workpaper Reference
FORM 20A.9 SAMPLE AUDIT PROGRAM FOR TESTING IT CONTROLS Workpaper Reference Date(s) Completed Organization and Staffing procedures used to define the organization of the IT Department. 2. Review the organization
More informationIT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results
Acquire or develop application systems software Controls provide reasonable assurance that application and system software is acquired or developed that effectively supports financial reporting requirements.
More informationGENERAL APPLICATION FOR ELECTRONIC COMMUNICATION SYSTEM ( ECS ) INSURANCE
GENERAL APPLICATION FOR ELECTRONIC COMMUNICATION SYSTEM ( ECS ) INSURANCE (CLAIMS MADE BASIS) APPLICANT S INSTRUCTIONS: 1. Answer all questions. If the answer requires detail, please attach a separate
More informationGeneral IT Controls Audit Program
Contributed February 5, 2002 by Paul P Shotter General IT Controls Audit Program Purpose / Scope Perform a General Controls review of Information Technology (IT). The reviews
More informationPART 10 COMPUTER SYSTEMS
PART 10 COMPUTER SYSTEMS 10-1 PART 10 COMPUTER SYSTEMS The following is a general outline of steps to follow when contemplating the purchase of data processing hardware and/or software. The State Board
More informationIT - General Controls Questionnaire
IT - General Controls Questionnaire Internal Control Questionnaire Question Yes No N/A Remarks G1. ACCESS CONTROLS Access controls are comprised of those policies and procedures that are designed to allow
More informationINFORMATION TECHNOLOGY CONTROLS
CHAPTER 14 INFORMATION TECHNOLOGY CONTROLS SCOPE This chapter addresses requirements common to all financial accounting systems and is not limited to the statewide financial accounting system, ENCOMPASS,
More informationSupplier Security Assessment Questionnaire
HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.
More informationFINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
More informationCHIS, Inc. Privacy General Guidelines
CHIS, Inc. and HIPAA CHIS, Inc. provides services to healthcare facilities and uses certain protected health information (PHI) in connection with performing these services. Therefore, CHIS, Inc. is classified
More informationTASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices
Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security
More informationInformation System Audit. Arkansas Administrative Statewide Information System (AASIS) General Controls
Information System Audit Arkansas Administrative Statewide Information System (AASIS) General Controls ARKANSAS DIVISION OF LEGISLATIVE AUDIT April 12, 2002 April 12, 2002 Members of the Legislative Joint
More informationClient Security Risk Assessment Questionnaire
Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 1 Do you have a member of your organization with dedicated information security duties? 2
More informationApproved 12/14/11. FIREWALL POLICY INTERNAL USE ONLY Page 2
Texas Wesleyan Firewall Policy Purpose... 1 Scope... 1 Specific Requirements... 1 PURPOSE Firewalls are an essential component of the Texas Wesleyan information systems security infrastructure. Firewalls
More informationFIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.
1. Obtain previous workpapers/audit reports. FIREWALL CHECKLIST Pre Audit Checklist 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 3. Obtain current network diagrams
More informationAPPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST
APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST Application Name: Vendor Name: Briefly describe the purpose of the application. Include an overview of the application architecture, and identify the data
More informationOracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0
Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0 Unless otherwise stated, these Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies
More informationInformation Technology General Controls (ITGCs) 101
Information Technology General Controls (ITGCs) 101 Presented by Sugako Amasaki (Principal Auditor) University of California, San Francisco December 3, 2015 Internal Audit Webinar Series Webinar Agenda
More informationCentral Agency for Information Technology
Central Agency for Information Technology Kuwait National IT Governance Framework Information Security Agenda 1 Manage security policy 2 Information security management system procedure Agenda 3 Manage
More informationRajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np
Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np Meaning Why is Security Audit Important Framework Audit Process Auditing Application Security
More informationDETAIL AUDIT PROGRAM Information Systems General Controls Review
Contributed 4/23/99 by Steve_Parker/TBE/Teledyne@teledyne.com DETAIL AUDIT PROGRAM Information Systems General Controls Review 1.0 Introduction The objectives of this audit are to review policies, procedures,
More informationUniversity of Illinois at Chicago Health Sciences Colleges Information Technology Group Security Policies Summary
University of Illinois at Chicago Health Sciences Colleges Information Technology Group Security Policies Summary This Summary was prepared March 2009 by Ian Huggins prior to HSC adoption of the most recent
More informationRL Solutions Hosting Service Level Agreement
RL Solutions Hosting Service Level Agreement April 2012 Table of Contents I. Context and Scope... 1 II. Defined Terms... 1 III. RL Solutions Responsibilities... 2 IV. Client Responsibilities... 4 V. The
More informationCircular to All Licensed Corporations on Information Technology Management
Circular 16 March 2010 Circular to All Licensed Corporations on Information Technology Management In the course of our supervision, it has recently come to our attention that certain deficiencies in information
More informationOFFICE OF THE STATE AUDITOR General Controls Review Questionnaire
OFFICE OF THE STATE AUDITOR Agency: * University Please answer all of the following questions. Where we ask for copies of policies and procedures and other documentation, we would prefer this in electronic
More informationDepartment of Education audit - A Case Study
Second Follow-up Audit Report on Department of Education Internal Controls Over Its Data Center 7F04-137 September 27, 2004 THE CITY OF NEW YORK OFFICE OF THE COMPTROLLER 1 CENTRE STREET NEW YORK, N.Y.
More informationInformation Technology General Controls Review (ITGC) Audit Program Prepared by:
Information Technology General Controls Review (ITGC) Audit Program Date Prepared: 2012 Internal Audit Work Plan Objective: IT General Controls (ITGC) address the overall operation and activities of the
More informationIT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
More informationHIPAA Security COMPLIANCE Checklist For Employers
Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major
More informationPierianDx - Clinical Genomicist Workstation Software as a Service FAQ s
PierianDx - Clinical Genomicist Workstation Software as a Service FAQ s Network Security Please describe the preferred connection method(s) between the PierianDx network and a healthcare organization s
More informationTEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL
TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL Title: Computer and Network Security Policy Policy Number: 04.72.12 Effective Date: November 4, 2003 Issuing Authority: Office of the Vice President for
More informationGuideline on risk management and other aspects of internal control in central securities depository
until further notice 1 (11) Applicable to central securities depositories Guideline on risk management and other aspects of internal control in central securities depository By virtue of section 4, paragraph
More informationHow To Control Vcloud Air From A Microsoft Vcloud 1.1.1 (Vcloud)
SOC 1 Control Objectives/Activities Matrix goes to great lengths to ensure the security and availability of vcloud Air services. In this effort, we have undergone a variety of industry standard audits,
More informationInformation Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis
Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University
More informationManaged Services. Business Intelligence Solutions
Managed Services Business Intelligence Solutions Business Intelligence Solutions provides an array of strategic technology services for life science companies and healthcare providers. Our Managed Services
More informationDESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE
DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the
More informationECSA EuroCloud Star Audit Data Privacy Audit Guide
ECSA EuroCloud Star Audit Data Privacy Audit Guide Page 1 of 15 Table of contents Introduction... 3 ECSA Data Privacy Rules... 4 Governing Law... 6 Sub processing... 6 A. TOMs: Cloud Service... 7 TOMs:
More informationSupplier Information Security Addendum for GE Restricted Data
Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,
More informationHIPAA Information Security Overview
HIPAA Information Security Overview Security Overview HIPAA Security Regulations establish safeguards for protected health information (PHI) in electronic format. The security rules apply to PHI that is
More informationPREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:
A SYSTEMS UNDERSTANDING A 1.0 Organization Objective: To ensure that the audit team has a clear understanding of the delineation of responsibilities for system administration and maintenance. A 1.1 Determine
More informationSRA International Managed Information Systems Internal Audit Report
SRA International Managed Information Systems Internal Audit Report Report #2014-03 June 18, 2014 Table of Contents Executive Summary... 3 Background Information... 4 Background... 4 Audit Objectives...
More informationBEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050
BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 Adopting Multnomah County HIPAA Security Policies and Directing the Appointment of Information System Security
More information6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING
6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING The following is a general checklist for the audit of Network Administration and Security. Sl.no Checklist Process 1. Is there an Information
More informationCUNY SCHOOL OF PROFESSIONAL STUDIES: DEPARTMENTAL RETENTION SCHEDULE 4/7/2014 OFFICE OF INFORMATION TECHNOLOGY
IT-1 Contracts/ Software Licenses/ Use Agreements General 6[6] IT-2 CUNY SCHOOL OF PROFESSIONAL STUDIES: DEPARTMENTAL RETENTION SCHEDULE 4/7/2014 CUNY-CIS Information Security Procedures Attestation Forms
More informationInformation Systems Security Assessment
Physical Security Information Systems Security Assessment 1. Is the server protected from environmental damage (fire, water, etc.)? Ideal Answer: YES. All servers must be housed in such a way as to protect
More informationGuideline on risk management and other aspects of internal control in stock exchange
until further notice 1 (11) Applicable to stock exchanges Guideline on risk management and other aspects of internal control in stock exchange By virtue of section 4, paragraph 2, of the Act on the Financial
More informationIT Sr. Systems Administrator
IT Sr. Systems Administrator Location: [North America] [United States] [Monrovia] Category: Information Technology Job Type: Open-ended, Full-time PURPOSE OF POSITION: Systems Administrators and Engineers
More informationAUSTIN INDEPENDENT SCHOOL DISTRICT INTERNAL AUDIT DEPARTMENT TRANSPORTATION AUDIT PROGRAM
GENERAL: The Technology department is responsible for the managing of electronic devices and software for the District, as well as the Help Desk for resolution of employee-created help tickets. The subgroups
More informationHow To Ensure The C.E.A.S.A
APPENDI 3 TO SCHEDULE 3.3 TO THE COMPREHENSIVE INFRASTRUCTURE AGREEMENT APPENDI 3 TO SCHEDULE 3.3 TO THE COMPREHENSIVE INFRASTRUCTURE AGREEMENT TUGeneral TUSecurity TURequirements TUDesign TUIntegration
More informationExhibit to Data Center Services Service Component Provider Master Services Agreement
Exhibit to Data Center Services Service Component Provider Master Services Agreement DIR Contract No. DIR-DCS-SCP-MSA-002 Between The State of Texas, acting by and through the Texas Department of Information
More informationInformation System Audit Report Office Of The State Comptroller
STATE OF CONNECTICUT Information System Audit Report Office Of The State Comptroller AUDITORS OF PUBLIC ACCOUNTS KEVIN P. JOHNSTON ROBERT G. JAEKLE TABLE OF CONTENTS EXECUTIVE SUMMARY...1 AUDIT OBJECTIVES,
More informationNetwork & Information Security Policy
Policy Version: 2.1 Approved: 02/20/2015 Effective: 03/02/2015 Table of Contents I. Purpose................... 1 II. Scope.................... 1 III. Roles and Responsibilities............. 1 IV. Risk
More informationDisaster Recovery and Business Continuity Plan
Disaster Recovery and Business Continuity Plan Table of Contents 1. Introduction... 3 2. Objectives... 3 3. Risks... 3 4. Steps of Disaster Recovery Plan formulation... 3 5. Audit Procedure.... 5 Appendix
More informationUMHLABUYALINGANA MUNICIPALITY IT PERFORMANCE AND CAPACITY MANAGEMENT POLICY
UMHLABUYALINGANA MUNICIPALITY IT PERFORMANCE AND CAPACITY MANAGEMENT POLICY Originator: IT Performance and Capacity Management Policy Approval and Version Control Approval Process: Position or Meeting
More informationAn Oracle White Paper December 2010. Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance
An Oracle White Paper December 2010 Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance Executive Overview... 1 Health Information Portability and Accountability Act Security
More information15 Organisation/ICT/02/01/15 Back- up
15 Organisation/ICT/02/01/15 Back- up 15.1 Description Backup is a copy of a program or file that is stored separately from the original. These duplicated copies of data on different storage media or additional
More informationINCIDENT RESPONSE CHECKLIST
INCIDENT RESPONSE CHECKLIST The purpose of this checklist is to provide clients of Kivu Consulting, Inc. with guidance in the initial stages of an actual or possible data breach. Clients are encouraged
More informationUpdating the International Standard Classification of Occupations (ISCO) Draft ISCO-08 Group Definitions: Occupations in ICT
InternationalLabourOrganization OrganisationinternationaleduTravail OrganizaciónInternacionaldelTrabajo Updating the International Standard Classification of Occupations (ISCO) Draft ISCO-08 Group Definitions:
More informationHIPAA Security Alert
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
More informationData Management Policies. Sage ERP Online
Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...
More informationSupplier IT Security Guide
Revision Date: 28 November 2012 TABLE OF CONTENT 1. INTRODUCTION... 3 2. PURPOSE... 3 3. GENERAL ACCESS REQUIREMENTS... 3 4. SECURITY RULES FOR SUPPLIER WORKPLACES AT AN INFINEON LOCATION... 3 5. DATA
More informationVMware vcloud Air HIPAA Matrix
goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory
More informationCertified Information Systems Auditor (CISA)
Certified Information Systems Auditor (CISA) Course Introduction Course Introduction Module 01 - The Process of Auditing Information Systems Lesson 1: Management of the Audit Function Organization of the
More informationSITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA
SITA Information Security SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA September, 2012 Contents 1. Introduction... 3 1.1 Overview...
More informationTechnical Standards for Information Security Measures for the Central Government Computer Systems
Technical Standards for Information Security Measures for the Central Government Computer Systems April 21, 2011 Established by the Information Security Policy Council Table of Contents Chapter 2.1 General...
More informationAPPENDIX 3 TO SCHEDULE 3.3 SECURITY SERVICES SOW
EHIBIT H to Amendment No. 60 APPENDI 3 TO SCHEDULE 3.3 TO THE COMPREHENSIVE INFRASTRUCTURE AGREEMENT SECURITY SERVICES SOW EHIBIT H to Amendment No. 60 Table of Contents 1.0 Security Services Overview
More informationUnified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES
Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES HIPAA COMPLIANCE Achieving HIPAA Compliance with Security Professional Services The Health Insurance
More informationRSA Authentication Manager 7.1 Security Best Practices Guide. Version 2
RSA Authentication Manager 7.1 Security Best Practices Guide Version 2 Contact Information Go to the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com. Trademarks
More informationMaster Document Audit Program
Activity Code 11510 B-1 Planning Considerations Information Technology General System Controls Audit Specific Independence Determination Members of the audit team and internal specialists consulting on
More informationPA-DSS Implementation Guide for. Sage MAS 90 and 200 ERP. Credit Card Processing
for Sage MAS 90 and 200 ERP Credit Card Processing Version 4.30.0.18 and 4.40.0.1 - January 28, 2010 Sage, the Sage logos and the Sage product and service names mentioned herein are registered trademarks
More informationHealth Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)
Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...
More informationSECTION 15 INFORMATION TECHNOLOGY
SECTION 15 INFORMATION TECHNOLOGY 15.1 Purpose 15.2 Authorization 15.3 Internal Controls 15.4 Computer Resources 15.5 Network/Systems Access 15.6 Disaster Recovery Plan (DRP) 15.1 PURPOSE The Navajo County
More informationSample Career Ladder/Lattice for Information Technology
Click on a job title to see examples of descriptive information about the job. Click on a link between job titles to see the critical development experiences needed to move to that job on the pathway.
More informationInformation Technology Branch Access Control Technical Standard
Information Technology Branch Access Control Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 5 November 20, 2014 Approved: Date: November 20,
More informationAutodesk PLM 360 Security Whitepaper
Autodesk PLM 360 Autodesk PLM 360 Security Whitepaper May 1, 2015 trust.autodesk.com Contents Introduction... 1 Document Purpose... 1 Cloud Operations... 1 High Availability... 1 Physical Infrastructure
More informationMCR Checklist for Automated Information Systems (Major Applications and General Support Systems)
MCR Checklist for Automated Information Systems (Major Applications and General Support Systems) Name of GSS or MA being reviewed: Region/Office of GSS or MA being reviewed: System Owner: System Manager:
More informationOVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii
The Office of the Auditor General has conducted a procedural review of the State Data Center (Data Center), a part of the Arizona Strategic Enterprise Technology (ASET) Division within the Arizona Department
More informationUsing Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4
WHITEPAPER Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 An in-depth look at Payment Card Industry Data Security Standard Requirements 10, 11,
More informationPrint4 Solutions fully comply with all HIPAA regulations
HIPAA Compliance Print4 Solutions fully comply with all HIPAA regulations Print4 solutions do not access, store, process, monitor, or manage any patient information. Print4 manages and optimize printer
More informationTom J. Hull & Company Type 1 SSAE 16 2014
Tom J. Hull & Company Type 1 SSAE 16 2014 REPORT ON MANAGEMENT S DESCRIPTION OF TOM J. HULL & COMPANY S SYSTEM AND THE SUITABILITY OF THE DESIGN OF CONTROLS Pursuant to Statement on Standards for Attestation
More informationMusic Recording Studio Security Program Security Assessment Version 1.1
Music Recording Studio Security Program Security Assessment Version 1.1 DOCUMENTATION, RISK MANAGEMENT AND COMPLIANCE PERSONNEL AND RESOURCES ASSET MANAGEMENT PHYSICAL SECURITY IT SECURITY TRAINING AND
More informationSWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE
SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the specific
More informationOPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE
OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the specific documents requested,
More informationPCI DSS Requirements - Security Controls and Processes
1. Build and maintain a secure network 1.1 Establish firewall and router configuration standards that formalize testing whenever configurations change; that identify all connections to cardholder data
More informationVIRGINIA STATE UNIVERSITY RISK ANALYSIS SURVEY INFORMATION TECHNOLOGY
ASSESSABLE UNIT: ENTER THE NAME OF YOUR ASSESSABLE UNIT HERE BUSINESS PROCESS: ENTER YOUR BUSINESS PROCESS HERE BANNER INDEX CODE: ENTER YOUR BANNER INDEX CODE HERE Risk: If you monitor the activity and
More informationBecoming PCI Compliant
Becoming PCI Compliant Jason Brown - brownj52@michigan.gov Enterprise Security Architect Enterprise Architecture Department of Technology, Management and Budget State of Michigan @jasonbrown17 History
More informationTECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES
TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES Contents Introduction... 3 The Technical and Organizational Data Security Measures... 3 Access Control of Processing Areas (Physical)... 3 Access Control
More informationIndiana University of Pennsylvania Information Assurance Guidelines. Approved by the Technology Utilities Council 27-SEP-2002
Indiana University of Pennsylvania Information Assurance Guidelines Approved by the Technology Utilities Council 27-SEP-2002 1 Purpose... 2 1.1 Introduction... 2 1.1.1 General Information...2 1.1.2 Objectives...
More informationOffice of the State Controller. Self-Assessment of Internal Controls. Computer Security Cycle. Objectives and Risks
Office of the State Controller Self-Assessment of Internal Controls Computer Security Cycle Objectives and Risks Agency Year-End Objectives Risks Definition and communication of organizational structure,
More informationDHHS Information Technology (IT) Access Control Standard
DHHS Information Technology (IT) Access Control Standard Issue Date: October 1, 2013 Effective Date: October 1,2013 Revised Date: Number: DHHS-2013-001-B 1.0 Purpose and Objectives With the diversity of
More informationWhite Paper. BD Assurity Linc Software Security. Overview
Contents 1 Overview 2 System Architecture 3 Network Settings 4 Security Configurations 5 Data Privacy and Security Measures 6 Security Recommendations Overview This white paper provides information about
More informationRESPONSIBLE COMPUTER USE POLICY (ADOPTED AUGUST 3, 2006)
RESPONSIBLE COMPUTER USE POLICY (ADOPTED AUGUST 3, 2006) on-line at www.ccc.edu I. INTRODUCTION All users shall abide by the following provisions contained herein, or otherwise may be subject to disciplinary
More informationWEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY
WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4
More informationThe first step in protecting Critical Cyber Assets is identifying them. CIP-002 focuses on this identification process.
CIPS Overview Introduction The reliability of the energy grid depends not only on physical assets, but cyber assets. The North American Electric Reliability Corporation (NERC) realized that, along with
More informationAPPENDIX 8 TO SCHEDULE 3.3
EHIBIT Q to Amendment No. 60 - APPENDI 8 TO SCHEDULE 3.3 TO THE COMPREHENSIVE INFRASTRUCTURE AGREEMENT APPENDI 8 TO SCHEDULE 3.3 TO THE COMPREHENSIVE INFRASTRUCTURE AGREEMENT EHIBIT Q to Amendment No.
More informationPayment Card Industry Self-Assessment Questionnaire
How to Complete the Questionnaire The questionnaire is divided into six sections. Each section focuses on a specific area of security, based on the requirements included in the PCI Data Security Standard.
More informationDecision on adequate information system management. (Official Gazette 37/2010)
Decision on adequate information system management (Official Gazette 37/2010) Pursuant to Article 161, paragraph (1), item (3) of the Credit Institutions Act (Official Gazette 117/2008, 74/2009 and 153/2009)
More informationClassification: Computer Information Technology Specialist II (CITS II) Information Security Unit Title Code: V08005 Pay Range: 33
Classification: Computer Information Technology Specialist II (CITS II) Information Security Unit Pay Range: 33 POSITION SUMMARY: The position provides professional and advanced technical expertise as
More information