Main Reference : Hall, James A Information Technology Auditing and Assurance, 3 rd Edition, Florida, USA : Auerbach Publications

Size: px
Start display at page:

Download "Main Reference : Hall, James A. 2011. Information Technology Auditing and Assurance, 3 rd Edition, Florida, USA : Auerbach Publications"

Transcription

1 Main Reference : Hall, James A Information Technology Auditing and Assurance, 3 rd Edition, Florida, USA : Auerbach Publications Suggested Reference : Senft, Sandra; Gallegos, Frederick., Information Technology Control and Audit. Third edition. Auerbach Publications Davis, Chris., IT Auditing : using control to protect information assets. McGraw-Hill 1

2 Introduction to IT Audit and Control Information Technology Environment: Why Are Controls And Audit Important? Legal Environment and Its Impact on Information Technology Audit and Review: Its Role in Information Technology Audit Process in an Information Technology Environment Audit and Review: Its Role in Information Technology 2

3 Organizing the IT Function The IT Function must be organized and structured. IT Manager must define the role and articulate the value of the IT Function. Configuration within a company depends on external and internal organizational factors. Sound internal controls are essential to the structural framework. Designing the IT Function Designing the ultimate structure of the IT function is often determined by cultural, political and economic forces inherent in each organization. Separate from one another : systems development computer operations computer security 3

4 Systems Development Staff has access to operating systems, business applications and other key software. Systems developers are authorized to create and alter software logic, therefore, they should not be allowed to process information They should not maintain custody of corporate data and business applications. Computer Operations Operation staff are responsible for: Entering Data (similar to the internal control concept of authorizing transactions ) Processing information (similar to the internal control concept of recording transactions ) Disseminating Output (similar to the internal control concept of maintaining custody ) Must segregate duties. 4

5 Computer Security Responsible for the safe-keeping of resources includes ensuring that business software applications are secure. responsible for the safety ( custody ) of corporate information, communication networks and physical facilities Systems analysts and programmers should not have access to the production library. IT Organization Function IT Function Manager Systems Development Manager (a) Computer Operations Manager (b) Computer Security Manager (c) User Services Manager Systems Analysis (a) Data Input (a) Software Security Technical Support Computer Programming (b) Database Administration (c) Quality Control Information Processing (b) Information Output (c) Continuity of Operations Information Security Network Security Physical Security Application Support User Training Help Desk 5

6 IT Auditors Examination IT Auditors Examination of the IT Function Auditors should ensure that systems developers and computer operators are segregated. It is also advisable for the IT function to form a separate security specialization to maintain custody of software applications and corporate data. Funding the IT Function Must be adequately funded to fulfill strategic objectives. Business risk of under-funding: Needs and demands of customers, vendors, employees and other stakeholders will go unfulfilled. can adversely impact the success of the company. Audit risk of under-funding: Heavy workloads can lead to a culture of working around the system of internal controls 6

7 Two funding approaches 1. Cost Center Approach Submit detailed budget to upper management Justify each line item Use the IT function scorecard approach Operational Performance User satisfaction adaptability and scalability Organizational contribution Two funding approaches 2. Profit Center Approach Submit detailed budget to upper management. Charge internal users for services through intracompany billing. Positive Outcome: Managers will not be overly demanding of IT services Negative Outcome: IT can build excessive expenses into billing rates until the rates exceed costs of outside providers. 7

8 Acquiring IT Resources IT manager should justify IT Capital projects using a methodological approach. Determine the net benefit Present value of benefits minus costs Use Scorecard approach for non-quantifiable paybacks. Controlling the IT Function The major control categories involved in the IT function are Security Input Processing Output Databases backup and recovery Each of these categories is intended to minimize business and audit risk via internal controls. 8

9 Security Controls Secure the computing infrastructure from internal and external threats. A compromise of the infrastructure can result in: business risk network downtime database corruption audit risk material misstatements in accounts due to incomplete or inaccurate data capturing Security Controls Secure the computing infrastructure from internal and external threats. A compromise of the infrastructure can result in: business risk network downtime database corruption audit risk material misstatements in accounts due to incomplete or inaccurate data capturing 9

10 Physical Security Focuses on keeping facilities, computers, communication equipment and other tangible aspects of the computing infrastructure safe from harm. Physical Security Access Restriction Only authorized personnel should be allowed into the facility. Visitors should be accompanied by authorized personnel at all times. Use at all ingress and egress points --Security guards -- Keys & lock --Card readers -- Biometric devices Penetration points should be adequately secured 10

11 Physical Security Monitor Access Monitor who is entering, roaming and leaving the facility. Security guards Video Cameras Penetration alarms Review access evidence. Signage log, paper or electronic Formal review procedures in place. Physical Security Monitor Access Security Issue Physical Controls Logical Controls Access Controls Monitor Controls Review Controls Penetrating Tests Security Guards Locks & Keys Biometric Devices Security Guards Video Cameras Penetration Alarms Formal Reviews Signage Logs Violation Investigations Unauthorized attempts to enter IT facilities Attempts to break in through vulnerable points As authorized visitor, attempts to leave authorized personnel and wander around the facility without oversight ID and Passwords Authorization Matrix Firewalls & Encryption Access logs Supervisory Oversight Penetration alarms Formal Reviews Activity Logs Violation Investigations Unauthorized attempts to enter servers and networks Attempts to override access controls (hacking) As authorized user, attempts to use unauthorized applications and view unauthorized information 11

12 Physical Security Communication & Power Lines The IT manager should: monitor the primary communication and power lines via cameras and guards install secondary (backup) lines in case the primary lines fail. Contingency plan must address the possible failure of lines. Physical Security Off-Site Equipment Equipment located in other places needs to be monitored in the same way. Effective backup plan must be in place. 12

13 Sample Authorization Matrix 1/29/2012 Logical Security Data and software nature known as logical components of the infrastructure: Corporate data Computer software user applications network systems communication systems operating systems User #3 [ID = XXXXX, Password = YYYYY] User #2x [ID = XXXXX, Password = YYYYY] User #1 [ID = XXXXX, Password = YYYYY] Information A/R Applications A/P Customers Vendors Sales Purchasing Receipts Payments Add Edit Read Delete Add Edit Read Delete Add Edit Read Delete x Add Edit Read Delete Add Edit Read Delete Add Edit Read Delete 13

14 Logical Security Physical controls most corporate data and software are located on computers, servers, storage devices Computer controlled access, monitor & review systems Computer Terminal Supply Authorized ID Password Internet Logical Security Points of Entry Controls need to control external access Points Firewalls Track failed attempts to enter system 14

15 Logical Security Access and Monitor Systems Supervisory Oversight Penetration alarms Track usage patterns Report failed attempts Formal review procedure Information Controls Controls need to be in place and working effectively to ensure the integrity and accuracy of vital decision-making information. Must Integrate sound backup controls. 15

16 Information Controls Input Controls The company must have and follow written procedures regarding the proper authorization, approval and input of accounting transactions. These are incompatible functions. they should be carefully segregated, to the extent possible, and controlled. Information Controls Input Controls 3 Scenarios- #1 A customer purchases goods at a store counter. Authorizing the sale A cashier records the sale on the cash register Approving the sale, balances the register, logs the logs into the register with ID An accounting clerk later processes cash register sales in batches. Inputs sales transactions into accounting system in batches 16

17 Information Controls Input Controls 3 Scenarios- #2 Same except cash register automatically records the sale into the accounting system. Validating Error Handling Updating Process Controls 17

18 Database Controls Database processing involves simultaneous updating of multiple tables. Multiple tables and data items can be instantaneously corrupted when an interruption occurs. Database Controls Why corruption is so quick 1. Related tables are inexorably linked to one another. 2. Update routines often incorporate one or more of the following processing techniques: Multi-tasking -- where the computer executes more than one task [program] at a time Multi-processing -- where multiple CPUs simultaneously execute interdependent tasks [programs] Multi-threading -- where a computer executes multiple parts of a program [threads] at one time. 18

19 Database Controls Roll-back and Recovery Databases operate on a transaction principle. A logical unit of work is considered a transaction. The processing of a transaction takes the database from an initial state to an altered state, to the new initial state. Each step must be completed. Any failure will result in database corruption. Database Controls Roll-back and Recovery When there is an interruption, the database management system (DBMS) begins to restore. There are numerous technical processes depending on the DBMS in use. 19

20 Database Controls Roll-back and Recovery Basic Recovery A unique identifier tags each transaction. An activity log tracks the transaction as it processes. After interruption, the DBMS identifies the transactions in process. Roll-back procedure is performed: Uncompleted transactions placed back into queue Recovery takes place. Database Controls Concurrency Control Multiple users attempt to update the same data item simultaneously. or when One user is updating while another user is reading the same data item. 20

21 Database Controls Concurrency Control A common way to prevent concurrency problems is to lock a database object while it is in use and release the object upon completion. The DBMS can determine which operation to perform in what order, as it timestamps each transaction when the processing request is initiated. Database Controls Concurrency Control Levels of Granularity Course level database is locked during updates. No one can use the database until update is complete. Moderate level Database locks at tuple (record) level. No one else could use the record until update is finished. Fine level Database locks at attribute (field) level. Only the field being updated would be locked. 21

22 Database Controls Concurrency Control Levels of Granularity Tradeoff: There is an inverse relationship between the granularity level and system performance. A lower level of granular locking equates to slower computer performance. Output controls Only properly authorized parties can request certain output computer screens printed reports Such logical access control is accomplished via the ID-password authorization matrix procedure. 22

23 Output controls Computer Screens Screens need to be physically secure when output is visible. Output should be removed when user leaves the terminal. Return to the screen should require a password. Output controls Printed Reports Printer rooms need trail of accountability. Locks to prevent unauthorized access. Logs to sign in anyone entering. Logs to sign for reports. End user report requests should be password protected. Network printers should be placed where unauthorized persons will not have access. 23

24 Output controls Printed Reports Must have record retention and destruction policies. Mandated by regulatory agency. Dictated by company policy. Permanent reports must be in secured area. Temporary reports must by properly destroyed. Continuity Controls Must develop and follow a sound backup strategy to prevent disruption of business activity due to computer failures and disasters. Two key considerations: downtime and cost. Shorter downtime requirements equate to higher backup costs. 24

25 Continuity Controls Backup Controls Data Backup Slow Company Can Survive for days without its computer system. Would perform full backup each week. Medium Company Must be back on computers same day. Would perform weekly full backups Daily incremental backups Fast Company Continuity Controls Backup Controls Data Backup Must be back on computers within hours Needs daily full backup Hourly incremental backups Lightening Company Must be back on computers within minutes Needs real-time backup Simultaneouse updating on remote computer 25

26 Continuity Controls Storage location & hardware redundancy Physical Vaulting One backup on-site, one off-site On site copy is readily accessible if no disaster Off-site copy retrievable if disaster Strategy involves more time and money Continuity Controls Storage location & hardware redundancy Electronic Vaulting Send backup data over a communications network (such as the Internet) to an off-site storage medium. Send to home of employee. Send to another company location. Purchase outside service. Costs and accessibility are considerations. 26

27 Continuity Controls Storage location & hardware redundancy Hardware Backup usually needed for component failures: Power supplies Anything with moving parts There are 3 common configurations for redundant storage devices: Redundant Array of Independent Disks (RAID) Network Attached Storage (NAS) Server Area Network (SAN) Continuity Controls Redundant Array of Independent Disks (RAID) Disk mirroring Data is simultaneously written to the primary disk and one or more redundant disks Disk striping An array of at least three, but usually five, disks is established scheme of parity checks is utilized if one disk drive in the array fails, the remaining drives can reconstruct the data on the failed drive and continue processing 27

28 RAID Mirroring and Striping Disk Mirroring (RAID) Duplicate Recording On single mirrored disk RAID Mirroring and Striping Disk Striping (RAID) Duplicate Recording On an array of disks 28

29 Continuity Controls Network Attached Storage (NAS) Integrates one or more storage devices, (NAS appliances,) into the local area network (LAN). Comprised of one or more disk drives and an internal controller. Employs RAID technology to ensure hardware redundancy. Can be shared by multiple users on the network. Appliances are relatively affordable and scalable Printer User #1 User #2 Scanner Network Attached Storage (NAS) 29

30 Continuity Controls Server Area Network (SAN) Expands NAS to wide area networks (WAN). SAN is a dedicated network. SAN can be linked to multiple LANs. Multiple SANs can be simultaneously utilized. SAN can be expensive and technically complicated Capable of handling very high volumes SAN is a great solution for large companies. SAN is designed to be very fault tolerant. Wide Area Network Input-Output Controller Disk Storage Disk Storage Disk Storage Disk Storage 30

31 Disaster Recovery Controls The first step is to plan for various disaster scenarios: a) a single server is damaged b) an entire company site is demolished c) multiple company locations are simultaneously stuck with disaster d) the entire company is destroyed? Disaster Recovery Controls IT managers and auditors should plan for what, who, when, where, how, which and why. determine what just happened specify who to contact, in what order, and what they are expected to do when to enact the remainder of the contingency plan 31

32 Disaster Recovery Controls where to transfer the lost computer processing load Plan to shift to one or more alternate company locations Establish contractual relationships with peer companies in the same industry Affordable, but needs may not be a priority. Compatibility problems with operation systems Establish contractual relationships with third-party providers of alternate computing sites. Disaster Recovery Controls Three Levels: 1. Cold Site: Includes building & basic infrastructure bring own computing equipment establish the necessary infrastructure telephone service - Internet connections specialized computer cooling systems (if needed) unique power requirements 2. Warm Site: provides basic computer needs Not the computers 3. Hot Site: Ready to Go! Complete with computers Operating system 32

33 Disaster Recovery Controls How is the company going to get the computer hardware, people, software and data to the alternate site? Which applications are mission critical? Why one application or set of applications is more time sensitive than another? Disaster Recovery Controls All affected parties need to be involved in planning phase. The disaster recovery plan is a living document. It must be reviewed and updated on a recurrent basis. Everyone involved should be initially trained and required to attend periodic refresher sessions. Portions of the recovery plan should be tested on an unannounced basis. 33

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the specific

More information

IT - General Controls Questionnaire

IT - General Controls Questionnaire IT - General Controls Questionnaire Internal Control Questionnaire Question Yes No N/A Remarks G1. ACCESS CONTROLS Access controls are comprised of those policies and procedures that are designed to allow

More information

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the

More information

Supplier Security Assessment Questionnaire

Supplier Security Assessment Questionnaire HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.

More information

General IT Controls Audit Program

General IT Controls Audit Program Contributed February 5, 2002 by Paul P Shotter General IT Controls Audit Program Purpose / Scope Perform a General Controls review of Information Technology (IT). The reviews

More information

PART 10 COMPUTER SYSTEMS

PART 10 COMPUTER SYSTEMS PART 10 COMPUTER SYSTEMS 10-1 PART 10 COMPUTER SYSTEMS The following is a general outline of steps to follow when contemplating the purchase of data processing hardware and/or software. The State Board

More information

Created By: 2009 Windows Server Security Best Practices Committee. Revised By: 2014 Windows Server Security Best Practices Committee

Created By: 2009 Windows Server Security Best Practices Committee. Revised By: 2014 Windows Server Security Best Practices Committee Windows Server Security Best Practices Initial Document Created By: 2009 Windows Server Security Best Practices Committee Document Creation Date: August 21, 2009 Revision Revised By: 2014 Windows Server

More information

OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the specific documents requested,

More information

Operational Risk Publication Date: May 2015. 1. Operational Risk... 3

Operational Risk Publication Date: May 2015. 1. Operational Risk... 3 OPERATIONAL RISK Contents 1. Operational Risk... 3 1.1 Legislation... 3 1.2 Guidance... 3 1.3 Risk management process... 4 1.4 Risk register... 7 1.5 EBA Guidelines on the Security of Internet Payments...

More information

Data Security Systems Internal Control Questionnaire

Data Security Systems Internal Control Questionnaire Data Security Systems Internal Control Questionnaire I. GENERAL DATA SECURITY SYSTEM A. Does security system management: 1. Determine how access levels are granted? 2. Define when access is granted unless

More information

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results Acquire or develop application systems software Controls provide reasonable assurance that application and system software is acquired or developed that effectively supports financial reporting requirements.

More information

Office of the State Controller. Self-Assessment of Internal Controls. Computer Security Cycle. Objectives and Risks

Office of the State Controller. Self-Assessment of Internal Controls. Computer Security Cycle. Objectives and Risks Office of the State Controller Self-Assessment of Internal Controls Computer Security Cycle Objectives and Risks Agency Year-End Objectives Risks Definition and communication of organizational structure,

More information

Certified Information Systems Auditor (CISA)

Certified Information Systems Auditor (CISA) Certified Information Systems Auditor (CISA) Course Introduction Course Introduction Module 01 - The Process of Auditing Information Systems Lesson 1: Management of the Audit Function Organization of the

More information

INFORMATION TECHNOLOGY CONTROLS

INFORMATION TECHNOLOGY CONTROLS CHAPTER 14 INFORMATION TECHNOLOGY CONTROLS SCOPE This chapter addresses requirements common to all financial accounting systems and is not limited to the statewide financial accounting system, ENCOMPASS,

More information

Offsite Disaster Recovery Plan

Offsite Disaster Recovery Plan 1 Offsite Disaster Recovery Plan Offsite Disaster Recovery Plan Presented By: Natan Verkhovsky President Disty Portal Inc. 2 Offsite Disaster Recovery Plan Introduction This document is a comprehensive

More information

Aljex Software, Inc. Business Continuity & Disaster Recovery Plan. Last Updated: June 16, 2009

Aljex Software, Inc. Business Continuity & Disaster Recovery Plan. Last Updated: June 16, 2009 Business Continuity & Disaster Recovery Plan Last Updated: June 16, 2009 Business Continuity & Disaster Recovery Plan Page 2 of 6 Table of Contents Introduction... 3 Business Continuity... 3 Employee Structure...

More information

Backup and Recovery 1

Backup and Recovery 1 Backup and Recovery What is a Backup? Backup is an additional copy of data that can be used for restore and recovery purposes. The Backup copy is used when the primary copy is lost or corrupted. This Backup

More information

DETAIL AUDIT PROGRAM Information Systems General Controls Review

DETAIL AUDIT PROGRAM Information Systems General Controls Review Contributed 4/23/99 by Steve_Parker/TBE/Teledyne@teledyne.com DETAIL AUDIT PROGRAM Information Systems General Controls Review 1.0 Introduction The objectives of this audit are to review policies, procedures,

More information

CONTINUITY AND RECOVERY PLANNING GUIDE

CONTINUITY AND RECOVERY PLANNING GUIDE CONTINUITY AND RECOVERY PLANNING GUIDE The Continuity Planning process is designed to assist an organization in determining action plans for disaster recovery or incident response. The process also aids

More information

Information System Audit. Arkansas Administrative Statewide Information System (AASIS) General Controls

Information System Audit. Arkansas Administrative Statewide Information System (AASIS) General Controls Information System Audit Arkansas Administrative Statewide Information System (AASIS) General Controls ARKANSAS DIVISION OF LEGISLATIVE AUDIT April 12, 2002 April 12, 2002 Members of the Legislative Joint

More information

SECTION 15 INFORMATION TECHNOLOGY

SECTION 15 INFORMATION TECHNOLOGY SECTION 15 INFORMATION TECHNOLOGY 15.1 Purpose 15.2 Authorization 15.3 Internal Controls 15.4 Computer Resources 15.5 Network/Systems Access 15.6 Disaster Recovery Plan (DRP) 15.1 PURPOSE The Navajo County

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

Information Technology General Controls Review (ITGC) Audit Program Prepared by: Information Technology General Controls Review (ITGC) Audit Program Date Prepared: 2012 Internal Audit Work Plan Objective: IT General Controls (ITGC) address the overall operation and activities of the

More information

CHAPTER 11 COMPUTER SYSTEMS INFORMATION TECHNOLOGY SERVICES CONTROLS

CHAPTER 11 COMPUTER SYSTEMS INFORMATION TECHNOLOGY SERVICES CONTROLS 11-1 CHAPTER 11 COMPUTER SYSTEMS INFORMATION TECHNOLOGY SERVICES CONTROLS INTRODUCTION The State Board of Accounts, in accordance with State statutes and the Statements on Auditing Standards Numbers 78

More information

Distribution One Server Requirements

Distribution One Server Requirements Distribution One Server Requirements Introduction Welcome to the Hardware Configuration Guide. The goal of this guide is to provide a practical approach to sizing your Distribution One application and

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

Disaster Recovery Planning

Disaster Recovery Planning Assess, Adjust, Improve An LXI Publication Page 1 of 11 Your company's ability to recover is a high priority. In a survey by Contingency Planning & Management Magazine of 1437 contingency planners, 76%

More information

Domain 3 Business Continuity and Disaster Recovery Planning

Domain 3 Business Continuity and Disaster Recovery Planning Domain 3 Business Continuity and Disaster Recovery Planning Steps (ISC) 2 steps [Har10] Project initiation Business Impact Analysis (BIA) Recovery strategy Plan design and development Implementation Testing

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

GAO INFORMATION SECURITY. Weak Controls Place Interior s Financial and Other Data at Risk. Report to the Secretary of the Interior

GAO INFORMATION SECURITY. Weak Controls Place Interior s Financial and Other Data at Risk. Report to the Secretary of the Interior GAO United States General Accounting Office Report to the Secretary of the Interior July 2001 INFORMATION SECURITY Weak Controls Place Interior s Financial and Other Data at Risk GAO-01-615 United States

More information

Ohio Supercomputer Center

Ohio Supercomputer Center Ohio Supercomputer Center IT Business Continuity Planning No: Effective: OSC-13 06/02/2009 Issued By: Kevin Wohlever Director of Supercomputer Operations Published By: Ohio Supercomputer Center Original

More information

IT Disaster Recovery Plan Template

IT Disaster Recovery Plan Template HOPONE INTERNET CORP IT Disaster Recovery Plan Template Compliments of: Tim Sexton 1/1/2015 An information technology (IT) disaster recovery (DR) plan provides a structured approach for responding to unplanned

More information

IT Disaster Recovery Plan Template. By Paul Kirvan, CISA, CISSP, FBCI, CBCP

<Client Name> IT Disaster Recovery Plan Template. By Paul Kirvan, CISA, CISSP, FBCI, CBCP IT Disaster Recovery Plan Template By Paul Kirvan, CISA, CISSP, FBCI, CBCP Revision History REVISION DATE NAME DESCRIPTION Original 1.0 2 Table of Contents Information Technology Statement

More information

BNA FEDERAL CREDIT UNION DISASTER RECOVERY PLAN

BNA FEDERAL CREDIT UNION DISASTER RECOVERY PLAN BNA FEDERAL CREDIT UNION DISASTER RECOVERY PLAN INTRODUCTION The need for a contingency plan for business interruptions is vital to the operations of the BNA Federal Credit Union. Without such a plan,

More information

Data Processing Addendum ( Addendum )

Data Processing Addendum ( Addendum ) Data Processing Addendum ( Addendum ) Between ("Company ) and Pipedrive OÜ ( Pipedrive ) (Company and Pipedrive also referred to as a Party and collectively as the Parties 1. Background The Parties have

More information

General Computer Controls

General Computer Controls 1 General Computer Controls Governmental Unit: University of Mississippi Financial Statement Date: June 30, 2007 Prepared by: Robin Miller and Kathy Gates Date: 6/29/2007 Description of computer systems

More information

Information System Audit Report Office Of The State Comptroller

Information System Audit Report Office Of The State Comptroller STATE OF CONNECTICUT Information System Audit Report Office Of The State Comptroller AUDITORS OF PUBLIC ACCOUNTS KEVIN P. JOHNSTON ROBERT G. JAEKLE TABLE OF CONTENTS EXECUTIVE SUMMARY...1 AUDIT OBJECTIVES,

More information

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 13 Business Continuity

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 13 Business Continuity Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 13 Business Continuity Objectives Define environmental controls Describe the components of redundancy planning List disaster recovery

More information

DISASTER RECOVERY PLAN

DISASTER RECOVERY PLAN DISASTER RECOVERY PLAN Section 1. Goals of a Disaster Recovery Plan The major goals of a disaster recovery plan are: To minimize interruptions to normal operations. To limit the extent of disruption and

More information

Information Technology Auditing for Non-IT Specialist

Information Technology Auditing for Non-IT Specialist Information Technology Auditing for Non-IT Specialist IIA Pittsburgh Chapter October 4, 2010 Agenda Introductions What are General Computer Controls? Auditing IT processes controls Understanding and evaluating

More information

HIPAA Security Matrix

HIPAA Security Matrix HIPAA Matrix Hardware : 164.308(a)(1) Management Process =Required, =Addressable Risk Analysis The Covered Entity (CE) can store its Risk Analysis document encrypted and offsite using EVault managed software

More information

FORM 20A.9 SAMPLE AUDIT PROGRAM FOR TESTING IT CONTROLS. Date(s) Completed. Workpaper Reference

FORM 20A.9 SAMPLE AUDIT PROGRAM FOR TESTING IT CONTROLS. Date(s) Completed. Workpaper Reference FORM 20A.9 SAMPLE AUDIT PROGRAM FOR TESTING IT CONTROLS Workpaper Reference Date(s) Completed Organization and Staffing procedures used to define the organization of the IT Department. 2. Review the organization

More information

Business Continuity Planning and Disaster Recovery Planning

Business Continuity Planning and Disaster Recovery Planning 4 Business Continuity Planning and Disaster Recovery Planning Basic Concepts 1. Business Continuity Management: Business Continuity means maintaining the uninterrupted availability of all key business

More information

IT Service Management

IT Service Management IT Service Management Service Continuity Methods (Disaster Recovery Planning) White Paper Prepared by: Rick Leopoldi May 25, 2002 Copyright 2001. All rights reserved. Duplication of this document or extraction

More information

The Practice of Internal Controls. Cornell Municipal Clerks School July 16, 2014

The Practice of Internal Controls. Cornell Municipal Clerks School July 16, 2014 The Practice of Internal Controls Cornell Municipal Clerks School July 16, 2014 Page 1 July 18, 2014 Cash Receipts (Collection procedures) Centralize cash collections within a department or for the local

More information

Module 7: System Component Failure Contingencies

Module 7: System Component Failure Contingencies Module 7: System Component Failure Contingencies Introduction The purpose of this module is to describe procedures and standards for recovery plans to be implemented in the event of system component failures.

More information

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Managed Hosting & Datacentre PCI DSS v2.0 Obligations Any physical access to devices or data held in an Melbourne datacentre that houses a customer s cardholder data must be controlled and restricted only to approved individuals. PCI DSS Requirements Version

More information

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225

More information

BACKUP SECURITY GUIDELINE

BACKUP SECURITY GUIDELINE Section: Information Security Revised: December 2004 Guideline: Description: Backup Security Guidelines: are recommended processes, models, or actions to assist with implementing procedures with respect

More information

Hosted Exchange. Security Overview. Learn More: Call us at 877.634.2728. www.megapath.com

Hosted Exchange. Security Overview. Learn More: Call us at 877.634.2728. www.megapath.com Security Overview Learn More: Call us at 877.634.2728. www.megapath.com Secure and Reliable Hosted Exchange Our Hosted Exchange service is delivered across an advanced network infrastructure, built on

More information

Information Systems and Technology

Information Systems and Technology As public servants, it is our responsibility to use taxpayers dollars in the most effective and efficient way possible while adhering to laws and regulations governing those processes. There are many reasons

More information

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np Meaning Why is Security Audit Important Framework Audit Process Auditing Application Security

More information

HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005

HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005 INTRODUCTION HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005 The Health Insurance Portability and Accountability Act (HIPAA) Security Rule, as a

More information

NEEDS BASED PLANNING FOR IT DISASTER RECOVERY

NEEDS BASED PLANNING FOR IT DISASTER RECOVERY The Define/Align/Approve Reference Series NEEDS BASED PLANNING FOR IT DISASTER RECOVERY Disaster recovery planning is essential it s also expensive. That s why every step taken and dollar spent must be

More information

Music Recording Studio Security Program Security Assessment Version 1.1

Music Recording Studio Security Program Security Assessment Version 1.1 Music Recording Studio Security Program Security Assessment Version 1.1 DOCUMENTATION, RISK MANAGEMENT AND COMPLIANCE PERSONNEL AND RESOURCES ASSET MANAGEMENT PHYSICAL SECURITY IT SECURITY TRAINING AND

More information

Every organization has critical data that it can t live without. When a disaster strikes, how long can your business survive without access to its

Every organization has critical data that it can t live without. When a disaster strikes, how long can your business survive without access to its DISASTER RECOVERY STRATEGIES: BUSINESS CONTINUITY THROUGH REMOTE BACKUP REPLICATION Every organization has critical data that it can t live without. When a disaster strikes, how long can your business

More information

Disaster Recovery Remote off-site Storage for single server environment

Disaster Recovery Remote off-site Storage for single server environment . White Paper Disaster Recovery Remote off-site Storage for single server environment When it comes to protecting your data there is no second chance January 1, 200 Prepared by: Bill Schmidley CompassPoint

More information

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT A Review List This paper was put together with Security in mind, ISO, and HIPAA, for guidance as you move into a cloud deployment Dr.

More information

Local Area Networking

Local Area Networking Local Area Networking prashant.mali@cyberlawconsulting.com By Prashant Mali LAN Issues Local Area Networks evolved from stand-alone PCs Control and safety features found commonly in multi-user systems

More information

Guideline on risk management and other aspects of internal control in stock exchange

Guideline on risk management and other aspects of internal control in stock exchange until further notice 1 (11) Applicable to stock exchanges Guideline on risk management and other aspects of internal control in stock exchange By virtue of section 4, paragraph 2, of the Act on the Financial

More information

Business Continuity Planning and Disaster Recovery Planning

Business Continuity Planning and Disaster Recovery Planning Business Continuity Planning and Disaster Recovery Planning Ed Crowley IAM/IEM 1 ISC 2 Key Areas of Knowledge Understand business continuity requirements 1. Develop and document project scope and plan

More information

Guideline on risk management and other aspects of internal control in central securities depository

Guideline on risk management and other aspects of internal control in central securities depository until further notice 1 (11) Applicable to central securities depositories Guideline on risk management and other aspects of internal control in central securities depository By virtue of section 4, paragraph

More information

Office of Inspector General

Office of Inspector General DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,

More information

Auditing in an Automated Environment: Appendix C: Computer Operations

Auditing in an Automated Environment: Appendix C: Computer Operations Agency Prepared By Initials Date Reviewed By Audit Program - Computer Operations W/P Ref Page 1 of 1 Procedures Initials Date Reference/Comments OBJECTIVE - To document the review of the computer operations

More information

Storage Backup and Disaster Recovery: Using New Technology to Develop Best Practices

Storage Backup and Disaster Recovery: Using New Technology to Develop Best Practices Storage Backup and Disaster Recovery: Using New Technology to Develop Best Practices September 2008 Recent advances in data storage and data protection technology are nothing short of phenomenal. Today,

More information

Internal Control Deliverables. For. System Development Projects

Internal Control Deliverables. For. System Development Projects DIVISION OF AUDIT SERVICES Internal Control Deliverables For System Development Projects Table of Contents Introduction... 3 Process Flow... 3 Controls Objectives... 4 Environmental and General IT Controls...

More information

Retention & Destruction

Retention & Destruction Last Updated: March 28, 2014 This document sets forth the security policies and procedures for WealthEngine, Inc. ( WealthEngine or the Company ). A. Retention & Destruction Retention & Destruction of

More information

Backup and Recovery. What Backup, Recovery, and Disaster Recovery Mean to Your SQL Anywhere Databases

Backup and Recovery. What Backup, Recovery, and Disaster Recovery Mean to Your SQL Anywhere Databases Backup and Recovery What Backup, Recovery, and Disaster Recovery Mean to Your SQL Anywhere Databases CONTENTS Introduction 3 Terminology and concepts 3 Database files that make up a database 3 Client-side

More information

Electronic Records Storage Options and Overview

Electronic Records Storage Options and Overview Electronic Records Storage Options and Overview www.archives.nysed.gov Objectives Understand the options for electronic records storage, including cloud-based storage Evaluate the options best suited for

More information

Draft Information Technology Policy

Draft Information Technology Policy Draft Information Technology Policy Version 3.0 Draft Date June 2014 Status Draft Approved By: Table of Contents 1.0 Introduction... 6 Background... 6 Purpose... 6 Scope... 6 Legal Framework... 6 2.0 Software

More information

Supplier Information Security Addendum for GE Restricted Data

Supplier Information Security Addendum for GE Restricted Data Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,

More information

White Paper. Regulatory Compliance and Database Management

White Paper. Regulatory Compliance and Database Management White Paper Regulatory Compliance and Database Management March 2006 Introduction Top of mind in business executives today is how to meet new regulatory compliance and corporate governance. New laws are

More information

SRA International Managed Information Systems Internal Audit Report

SRA International Managed Information Systems Internal Audit Report SRA International Managed Information Systems Internal Audit Report Report #2014-03 June 18, 2014 Table of Contents Executive Summary... 3 Background Information... 4 Background... 4 Audit Objectives...

More information

technology brief RAID Levels March 1997 Introduction Characteristics of RAID Levels

technology brief RAID Levels March 1997 Introduction Characteristics of RAID Levels technology brief RAID Levels March 1997 Introduction RAID is an acronym for Redundant Array of Independent Disks (originally Redundant Array of Inexpensive Disks) coined in a 1987 University of California

More information

Business Continuity Planning and Disaster Recovery Planning. Ed Crowley IAM/IEM

Business Continuity Planning and Disaster Recovery Planning. Ed Crowley IAM/IEM Business Continuity Planning and Disaster Recovery Planning Ed Crowley IAM/IEM 1 Goals Compare and contrast aspects of business continuity Execute disaster recovery plans and procedures 2 Topics Business

More information

Planning and Implementing Disaster Recovery for DICOM Medical Images

Planning and Implementing Disaster Recovery for DICOM Medical Images Planning and Implementing Disaster Recovery for DICOM Medical Images A White Paper for Healthcare Imaging and IT Professionals I. Introduction It s a given - disaster will strike your medical imaging data

More information

Disaster Recovery Strategies: Business Continuity through Remote Backup Replication

Disaster Recovery Strategies: Business Continuity through Remote Backup Replication W H I T E P A P E R S O L U T I O N : D I S A S T E R R E C O V E R Y T E C H N O L O G Y : R E M O T E R E P L I C A T I O N Disaster Recovery Strategies: Business Continuity through Remote Backup Replication

More information

Click on the diagram to see RAID 0 in action

Click on the diagram to see RAID 0 in action Click on the diagram to see RAID 0 in action RAID Level 0 requires a minimum of 2 drives to implement RAID 0 implements a striped disk array, the data is broken down into blocks and each block is written

More information

Enterprise Security and Risk Management Office Risk Management Services. Risk Assessment Questionnaire. March 22, 2011 Revision 1.

Enterprise Security and Risk Management Office Risk Management Services. Risk Assessment Questionnaire. March 22, 2011 Revision 1. March 22, 2011 Revision 1.5 Full_Assessment Questions_with_scoring key_03-22-2011 Page 2 of 23 Initial Release Date: March 31, 2004 Version: 1.0 Date of Last Review: March 22, 2011 Version: 1.5 Date Retired:

More information

Information Security Management: Business Continuity Planning. Presentation by Stanislav Nurilov March 9th, 2005 CS 996: Info. Sec. Mgmt.

Information Security Management: Business Continuity Planning. Presentation by Stanislav Nurilov March 9th, 2005 CS 996: Info. Sec. Mgmt. Information Security Management: Business Continuity Planning Presentation by Stanislav Nurilov March 9th, 2005 CS 996: Info. Sec. Mgmt. Overview BCP: Definition BCP: Need for (Why?) BCP: When BCP: Who

More information

OIG. Improvements Are Needed for Information Technology Controls at the Las Vegas Finance Center. Audit Report OFFICE OF INSPECTOR GENERAL

OIG. Improvements Are Needed for Information Technology Controls at the Las Vegas Finance Center. Audit Report OFFICE OF INSPECTOR GENERAL OIG OFFICE OF INSPECTOR GENERAL Catalyst for Improving the Environment Audit Report Improvements Are Needed for Information Technology Controls at the Las Vegas Finance Center Report No. 2003-P-00011 May

More information

3.11 System Administration

3.11 System Administration 3.11 The functional area is intended to contribute to the overall flexibility, efficiency, and security required for operating and maintaining the system. Depending on the architecture of the system, system

More information

2.2 INFORMATION SERVICES Documentation of computer services, computer system management, and computer network management.

2.2 INFORMATION SERVICES Documentation of computer services, computer system management, and computer network management. 3 Audit Trail Files Data generated during the creation of a master file or database, used to validate a master file or database during a processing cycle. GS 14020 Retain for 3 backup cycles Computer Run

More information

Cloud Computing: Legal Risks and Best Practices

Cloud Computing: Legal Risks and Best Practices Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent

More information

Data Management Policies. Sage ERP Online

Data Management Policies. Sage ERP Online Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...

More information

Las Vegas Datacenter Overview. Product Overview and Data Sheet. Created on 6/18/2014 3:49:00 PM

Las Vegas Datacenter Overview. Product Overview and Data Sheet. Created on 6/18/2014 3:49:00 PM Las Vegas Datacenter Overview Product Overview and Data Sheet Product Data Sheet Maintaining a Software as a Service (SaaS) environment with market leading availability and security is something that Active

More information

Information Security Policies. Version 6.1

Information Security Policies. Version 6.1 Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access

More information

Using RAID6 for Advanced Data Protection

Using RAID6 for Advanced Data Protection Using RAI6 for Advanced ata Protection 2006 Infortrend Corporation. All rights reserved. Table of Contents The Challenge of Fault Tolerance... 3 A Compelling Technology: RAI6... 3 Parity... 4 Why Use RAI6...

More information

Virginia Commonwealth University School of Medicine Information Security Standard

Virginia Commonwealth University School of Medicine Information Security Standard Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Business Continuity Management Standard for IT Systems This standard is applicable to all VCU School of Medicine

More information

ADDENDUM 2 TO APPENDIX 1 TO SCHEDULE 3.3

ADDENDUM 2 TO APPENDIX 1 TO SCHEDULE 3.3 ADDENDUM 2 TO APPENDIX 1 TO SCHEDULE 3.3 TO THE COMPREHENSIVE INFRASTRUCTURE AGREEMENT Overview EXHIBIT E to Amendment No. 60 The Disaster Recovery (DR) Services, a Tier-Level DR Solution, addresses the

More information

7Seven Things You Need to Know About Long-Term Document Storage and Compliance

7Seven Things You Need to Know About Long-Term Document Storage and Compliance 7Seven Things You Need to Know About Long-Term Document Storage and Compliance Who Is Westbrook? Westbrook Technologies, based in Branford on the Connecticut coastline, is an innovative software company

More information

CUNY SCHOOL OF PROFESSIONAL STUDIES: DEPARTMENTAL RETENTION SCHEDULE 4/7/2014 OFFICE OF INFORMATION TECHNOLOGY

CUNY SCHOOL OF PROFESSIONAL STUDIES: DEPARTMENTAL RETENTION SCHEDULE 4/7/2014 OFFICE OF INFORMATION TECHNOLOGY IT-1 Contracts/ Software Licenses/ Use Agreements General 6[6] IT-2 CUNY SCHOOL OF PROFESSIONAL STUDIES: DEPARTMENTAL RETENTION SCHEDULE 4/7/2014 CUNY-CIS Information Security Procedures Attestation Forms

More information

IIABSC 2015 - Spring Conference

IIABSC 2015 - Spring Conference IIABSC 2015 - Spring Conference Cyber Security With enough time, anyone can be hacked. There is no solution that will completely protect you from hackers. March 11, 2015 Chris Joye, Security + 1 2 Cyber

More information

Appendix VIII SAS 70 Examinations of EBT Service Organizations

Appendix VIII SAS 70 Examinations of EBT Service Organizations Appendix VIII SAS 70 Examinations of EBT Service Organizations Background States must obtain an examination by an independent auditor of the State electronic benefits transfer (EBT) service providers (service

More information

BKDconnect Security Overview

BKDconnect Security Overview BKDconnect Security Overview 1 Introduction 1.1 What is BKDconnect 1.2 Site Creation 1.3 Client Authentication and Access 2 Security Design 2.1 Confidentiality 2.1.1 Least Privilege and Role Based Security

More information

ISO 27001 Controls and Objectives

ISO 27001 Controls and Objectives ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements

More information

Perforce Backup Strategy & Disaster Recovery at National Instruments

Perforce Backup Strategy & Disaster Recovery at National Instruments Perforce Backup Strategy & Disaster Recovery at National Instruments Steven Lysohir National Instruments Perforce User Conference April 2005-1 - Contents 1. Introduction 2. Development Environment 3. Architecture

More information

Making the leap to the cloud: IS my data private and secure?

Making the leap to the cloud: IS my data private and secure? Making the leap to the cloud: IS my data private and secure? tax & accounting MAKING THE LEAP TO THE CLOUD: IS MY DATA PRIVATE AND SECURE? Cloud computing: What s in it for me? The more you know about

More information

Building a Disaster Recovery Program By: Stieven Weidner, Senior Manager

Building a Disaster Recovery Program By: Stieven Weidner, Senior Manager Building a Disaster Recovery Program By: Stieven Weidner, Senior Manager Part two of a two-part series. If you read my first article in this series, Building a Business Continuity Program, you know that

More information

Delphi Information 3 rd Party Security Requirements Summary. Classified: Public 5/17/2012. Page 1 of 11

Delphi Information 3 rd Party Security Requirements Summary. Classified: Public 5/17/2012. Page 1 of 11 Delphi Information 3 rd Party Security Requirements Summary Classified: Public 5/17/2012 Page 1 of 11 Contents Introduction... 3 Summary for All Users... 4 Vendor Assessment Considerations... 7 Page 2

More information