Archived. Report on controls over the NZClear system. For the year ended 30 June Reserve Bank of New Zealand

Size: px
Start display at page:

Download "Archived. Report on controls over the NZClear system. For the year ended 30 June 2014. Reserve Bank of New Zealand"

Transcription

1 System Operator: Reserve Bank of New Zealand Custodian Trustee: New Zealand Central Securities Depository Limited (NZCSD) Report on controls over the NZClear system For the year ended 30 June 2014 Reserve Bank of New Zealand

2 Table of contents Section I Purpose, scope and use of this report 3 Section II Report by management 4 Section III Description of the Reserve Bank s NZClear system 7 Section IV NZClear control objectives 13 Section V Independent assurance report 15 Section VI Definition of testing terms 17 Section VII Auditor s tests of operating effectiveness of key controls 18 2

3 Section I Purpose, scope and use of this report This report is designed to provide information to be used for financial reporting purposes by members of NZClear ( the System ) and their independent auditors in respect of the year ended 30 June This report is prepared pursuant to Rule of the NZClear Rules which requires that an audit report for the System be prepared and published each year 1. The report has been prepared in compliance with the requirements of the International Standard on Assurance Engagements (New Zealand) 3402 Assurance Reports on Controls at a Service Organisation issued by the External Reporting Board. This report comprises: a report by management which describes the services provided by the Reserve Bank of New Zealand (the Reserve Bank ) as operator of the System including information on key internal controls for NZClear; an assurance report by Chris Barber with the assistance of PricewaterhouseCoopers ( PwC ) on behalf of the Auditor-General ( the Auditor ); and details of the controls supporting each control objective, as well as the related tests performed by the Auditor and the results of that testing. The scope of this report is limited to the controls which apply to the operation of the System by the Reserve Bank and its use by members pursuant to the NZClear Rules. This report is strictly confidential. It is intended for use by the Reserve Bank, members of the NZClear system and their independent auditors. Unauthorised use of this report in whole or part is strictly prohibited. 1 The NZClear Rules require that the Auditor issue a report on NZClear controls annually in respect of the period ended 30 June. In addition, the NZClear Rules require that for each three months ended 31 March, 30 September and 31 December the auditor will test the reconciliation of securities recorded in the NZClear system and those recorded in the respective registry records and issue a report on its findings. 3

4 iv ed ch Ar

5 iv ed ch Ar

6

7 Section III Description of the Reserve Bank s NZClear system Background on NZClear NZClear is New Zealand s principal high-value securities depository. The System is charged with providing an efficient and safe process for the electronic transfer and safekeeping of securities. NZClear, known formerly as the Austraclear New Zealand System, has been operating in New Zealand since 1990 and is used principally for transferring fixed interest securities and equity securities on a delivery versus payment basis. The System is also used to make transfers of cash between participants. For a transaction to be settled both parties must enter the relevant details of the transaction and those transaction details must be matched by the System. Once a transaction is matched, to be further processed a payor of funds must have sufficient funds or credit facilities with its clearing bank (known in the Rules as the Participating ESAS Account Holder) and the seller of securities must have sufficient securities in its security account to complete the transaction. Settlement is effected by a process called Delivery versus Payment ( DvP ) (Bank for International Settlements Model 1) whereby settlement of securities and associated cash payments occurs on an irrevocable and simultaneous basis. Cash payments involving more than one Participating ESAS Account Holder are made across the Reserve Bank s Exchange Settlement Account System, while title to securities is transferred in the NZClear system. Once a transaction is settled it cannot be revoked. NZClear is a designated settlement system under part 5C of the Reserve Bank Act NZClear is jointly regulated by the Financial Markets Authority and the Prudential Supervision Department of the Reserve Bank of New Zealand. Designation provides statutory backing to the rules of the settlement system and provides additional legal certainty to settlements effected through those systems 2. The NZClear system is operated by the Reserve Bank. The Reserve Bank s Financial Services Group ( FSG ) is responsible for the administration of the operational aspects of the System. FSG is headed by Mike Wolyncewicz, the Reserve Bank s Chief Financial Officer, and day-to-day operational support is provided by the Payment and Settlement Services Team within FSG that is managed by the Payments and Settlement Services Manager, Nathan Lewer. FSG reports on the operation of NZClear to Mr Geoff Bascand, Deputy Governor and Head of Operations. The Reserve Bank s Knowledge Services Group ( KSG ) supports the telecommunications network and 2 Reserve Bank of New Zealand (Designated settlement system NZClear) Order

8 related security features utilised by the System. Software support, software development and operational support services are provided by Datacom Systems (Wellington) Limited ( Datacom ). The Reserve Bank manages Datacom s provision of services through a services contract and related service level agreement. The management process includes assessment of performance at monthly review meetings, monthly performance reports, review of problem management reports, a relationship governance committee and relevant project steering committees. All securities beneficially owned by members and lodged into the System are registered in the name of New Zealand Central Securities Depository Limited ( NZCSD ), which is a wholly-owned subsidiary of the Reserve Bank. NZCSD operates as a bare trustee and is the custodian for securities beneficially owned by members of NZClear. NZClear service The Reserve Bank is the operator of the NZClear system. The Reserve Bank provides services to members of NZClear in accordance with the NZClear Rules ( the Rules ) dated 1 March The NZClear system allows members of that System to: 1. Hold their debt and equity securities in their securities accounts within the System, with the securities held for members at the relevant securities registries in the name of NZCSD, which has been appointed custodian trustee. 2. Record cash transactions in cash accounts which are provided to members by their relevant clearing bank. 3. Record in members securities accounts and cash accounts, the settlement of sales and purchases of securities transactions and cash transfers in accordance with members instructions. The Rules provide that once a transaction is settled, the settlement is irrevocable. 4. Give instructions to the Reserve Bank to deal with securities. This includes lodging securities into the System, uplifting securities from the System and issuing instructions to effect corporate actions relevant to the securities. Corporate actions include receiving interest and dividend revenue from securities and the processing of a range of other entitlements associated with ownership of securities, such as rights issues, bonus issues, takeover offers, dividend reinvestment plans, stock conversions and other like events. 5. Use a function known as FINEWISS to create and issue fixed interest securities. Members who use this service enter into a FINEWISS Registry Agreement with the Reserve Bank. Under that arrangement, the Reserve Bank is the registrar for the relevant securities and uses the NZClear system for that purpose, with NZCSD being the sole registered holder of those securities. 8

9 Members submit instructions to the System via electronic means, primarily through one or more of the dedicated telecommunications networks (the internet or the SWIFT system). In all cases the System has security features in place designed to ensure that access is authorised and instructions received are authenticated. In the case of corporate actions, processing involves giving instructions either through the NZClear system, or in the case of more complex events, through manual communications. SWIFT is a secure system through which authorised NZClear members communicate in real time and transmit messages including settlement instructions. The operation of NZClear includes elements of the administration of the SWIFT system which are the responsibility of the Reserve Bank. This includes servers on which the Reserve Bank s interface to SWIFT resides, SWIFT system administration and security including allocation of user privileges to Reserve Bank staff, change control of elements of SWIFT software, administration of the SWIFT system so that authenticated SWIFT messages from authorised members are accepted for processing by NZClear, backing up data, business continuity readiness and problem management. In most other respects, reliance is placed on the SWIFT organisation itself for operation of that System. The contractual relationships between all members, and between the Reserve Bank and all members, are governed by the Rules. The NZClear system produces a range of reports which are generated either on request or automatically. The main reports include those which list: securities held in the System (and registered in NZCSD s name) for a member together with details of securities transactions posted to members securities account(s); details of cash transactions that have been posted to a member s cash account with their clearing bank (the Participating ESAS Account Holder) which are recorded in the NZClear system; details of cash transactions for each clearing bank (the Participating ESAS Account Holder) which are recorded in the NZClear system in respect of each member; and the status of transactions during the transaction lifecycle. During the year ended 30 June 2014 there have been no major upgrades to the functionality provided by the NZClear system. The Reserve Bank interacts with members in several ways. A regular newsletter is ed to every member, an annual report on the NZClear system is published, a User Advisory Committee is elected and meets with Reserve Bank management four times each year, a user meeting is held every six months, a customer survey is conducted every year and the results are reported back to the User Advisory Committee and members, and Reserve Bank management will meet with individual members (and with clients of members) from time to time. 9

10 Risk management The internal controls of NZClear are audited each year by Chris Barber with the assistance of PricewaterhouseCoopers ( PwC ), as required by the NZClear Rules, who act on behalf of the Reserve Bank s external auditor, the Auditor-General ( the Auditor ). The scope of this audit includes the controls performed by the Reserve Bank s third party independent service provider, Datacom. In addition, the NZClear Rules require that the auditor will undertake a quarterly limited procedures review of key securities reconciliations and report on their findings. The annual report on NZClear controls and the limited procedures reviews of key reconciliations are reviewed by the Reserve Bank s Audit Committee, with external auditors, Reserve Bank governors and management in attendance. NZClear is also subject to internal audit by the Reserve Bank s Audit Services division. The main elements of risk management for NZClear entail: reconciliations are performed and reviewed daily; procedures and controls are adhered to; measures to manage operational risk, as described below; and business continuity plans are in place and tested regularly. Managing operational risk in the Reserve Bank is seen as an integral part of day-to-day operations. Operational risk management includes Bank-wide corporate policies that describe the standard of conduct required of staff, a number of mandated requirements (e.g. a project management template), and specific internal control systems designed around the particular characteristics of various Reserve Bank activities. Operational risk management is supported by: an induction programme for new employees that makes them aware of the requirements; monthly reporting to joint regulators including attestations by Reserve Bank management that the conditions of designation for NZClear have been complied with; a quarterly management affirmation by the Chief Financial Officer that corporate policies and departmental internal control systems have been complied with; a proactive problem management process whereby problems and incidents are reported internally and also to the joint regulators and analysed for potential risk management improvements; periodic review of risks and internal controls; and an active internal audit function. In addition to administering system controls the Reserve Bank commissions a third party to undertake reviews of system security with a view to improving system security. 10

11 Information Technology activities outsourced to a service organisation Within the Information Technology ( IT ) processes described above, specific responsibilities supporting NZClear have been outsourced to a third-party IT service organisation, Datacom Systems (Wellington) Limited ( Datacom ). The significant activities and controls undertaken by Datacom include: Security: User administration of the operating system and database is performed by Datacom on approval by the client account manager of the Reserve Bank. Datacom manage a data centre in Auckland that houses the computer equipment on which the system operates. Environmental and physical security controls over this equipment are operated by Change control: Datacom. The Reserve Bank also houses computers in Wellington on which the system operates. Datacom are also responsible for ensuring they have appropriate technical personnel available to restore and move production between the Wellington and Auckland sites. Development of software changes is performed by Datacom staff on the approval of a change elaboration document approved by the Reserve Bank. Initial testing of software changes is performed by Datacom before the Reserve Bank s user testing and subsequent implementation. Implementation of software changes to the production system is performed by authorised Datacom staff when authorised by the Reserve Bank. A backup of the System and a back-out plan is prepared by Datacom before any implementation of program changes. Operations: The Reserve Bank uses an online monitoring web-portal (Nagios) to ensure that the System is operating adequately and automated processes and controls have been completed successfully. For example, the portal monitors data backups, system usage and performance processing statistics. On a monthly basis, the controls and services performed by Datacom are required to be assessed and reported to the Reserve Bank. For example, Datacom reports that administrator accounts on the System have been accessed appropriately and relate to authorised work. A monthly meeting is also held between Datacom and the Reserve Bank to discuss management and operation of the System. 11

12 Members controls The controls described in Section IV cover only a portion of the overall internal controls for each member. Achievement of each of the control objectives will also be dependent on members maintaining an effective control environment through implementing controls such as: Documented policies and procedures (including transaction processing procedures, risk management policies such as conditions and restrictions for System use, good password practices, software copyright restrictions and virus protection); Restricted access to operating systems, applications, databases and underlying records (including role-based security mechanisms); User administration management; Transaction processing, authorisation, monitoring and reporting mechanisms; Segregation of duties in transaction processing; Reconciliation of transactions and holdings; Physical security of system infrastructure; Provisions of data backup and restoration and other computer operations; and Business continuity planning. This report expressly excludes consideration by the Reserve Bank, and the Auditor of the effectiveness of members own internal controls as distinct from internal control objectives and key controls of the NZClear system, which are the responsibility of the Reserve Bank. 12

13 Section IV NZClear control objectives A summary of the control objectives relevant to the NZClear System are listed below. Following these are the specific key controls that are designed and implemented to achieve these stated control objectives. Section 1 Security 1. NZClear security management procedures and application controls are adequate. 2. The Bank s internal and external network is adequately secured. 3. Access to system privileges within the underlying operating system is adequately secured. 4. NZClear functionality is only available to appropriate users at appropriate levels. 5. Access to the underlying database is adequately secured. 6. Adequate environmental and physical security controls are in place over computing equipment. Section 2 Member Detail Administration 1. Authorisation is obtained for all additions, changes and deletions to member details. 2. Additions, changes and deletions to member details are correctly input into the System. Section 3 Application Controls 1. All lodgements and uplifts from the various registries are processed completely, accurately and in a timely manner. 2. Errors in performing lodgements and uplifts are identified and corrected in a timely manner. 3. NZClear holdings are complete and accurate. 4. Corporate actions are completely and accurately processed. Section 4 Change Control 1. Changes migrated into production are tested and approved. 2. Emergency changes migrated into production are appropriate and authorised. Section 5 Problem Management 1. Problems are identified and resolved in a timely manner. Section 6 Backup and Recovery 1. Adequate processes are in place for data recovery. 2. Timely recovery of business operations is possible. 3. System issues over NZClear system are identified and resolved in a timely manner. 13

14 Section 7 SLA Monitoring 1. Third party service levels are monitored to ensure compliance with agreed contractual requirements. Section 8 Period End Processing 1. End of day processing is complete, accurate and timely. 14

15 Independent assurance report on the description of controls, their design and operating effectiveness To the Governor, Reserve Bank of New Zealand Scope In accordance with the terms of our engagement letter dated 6 November 2013, we were engaged to 0 June 2014, and on the design and operation of controls related to the control objectives stated at controls performed by an independent service provider, Datacom Systems (Wellington) Limited specified in the description can be achieved only if complementary member controls contemplated in related controls at the Reserve Bank. We have not evaluated the suitability of the design or operating effectiveness of such member controls. The Reserve Bank and Datacom are responsible for: preparing the description at Section III and accompanying assertion at Section II, including the completeness, accuracy and method of presentation of the description and assertion; providing the services covered by the description; stating the control objectives in Section IV; and designing, implementing and effectively operating controls to achieve the stated control objectives. operation of controls related to the control objectives stated in that description, based on our procedures. We conducted our engagement in accordance with International Standard on Assurance by the External Reporting Board. That standard requires that we comply with relevant ethical requirements and plan and perform our procedures to obtain reasonable assurance about whether, in all material respects, the description is fairly presented and the controls are suitably designed and operating effectively. An assurance engagement to report on the description, design and operating effectiveness of controls at a service organisation involves performing procedures to obtain evidence about the disclosures in f its System, and the design and operating effectiveness of controls. The procedures selected depend on our judgement, including the assessment of the risks that the description is not fairly presented, and that controls are not suitably designed or operating effectively. Our procedures included testing the operating effectiveness of those controls that we consider necessary to provide reasonable assurance that the control objectives stated in the description were achieved. An assurance engagement of this type also includes evaluating the overall presentation of the description, the suitability of the objectives stated therein, and the suitability of the criteria specified by the service organisation and described in Section II. Also, we did not evaluate the security and controls over the electronic publication of this report. PricewaterhouseCoopers, The Terrace, PO Box 243, Wellington 6140, New Zealand T: , F: , pwc.co.nz

16 We believe that the evidence we have obtained is sufficient and appropriate to provide a basis for our opinion. Limitations of controls at a service organisation and their auditors and may not, therefore, include every aspect of the System that each individual member may consider important in its own particular environment. In addition to this, because of their nature, controls at a service organisation may not prevent or detect all errors or omissions in processing or reporting transactions. Section III also indicates that certain control objectives specified in the description can be achieved only if complementary member controls contemplated in the design controls at the Reserve Bank. Further, the projection of any evaluation of effectiveness to future periods is subject to the risk that controls at a service organisation may become inadequate or fail. Opinion Our opinion has been formed on the basis of the matters outlined in this report. The criteria we used in formi assertion at Section II. In our opinion, together with the complementary member controls referred to in the scope paragraph of this report, in all material respects: (a) The description fairly presents the System as designed and implemented throughout the year ended 30 June (b) The controls related to the control objectives stated in the description were suitably designed throughout the year ended 30 June (c) The controls tested, which were those necessary to provide reasonable assurance that the control objectives stated in the description were achieved, operated effectively throughout the year ended 30 June Description of tests of controls The specific controls tested and the nature, timing and results of those tests are listed in Section VII. Intended users and purpose of the report This report and the description of tests of controls in Sections IV and VII are intended only for members who have used the NZClear system during the year ended 30 June 2014, and their auditors, who have a sufficient understanding to consider it, along with other information including information about controls operated by members themselves, when assessing the risks of material misstatements rts/statements. Our audit was completed on 28 July This is the date at which our opinion is expressed. Chris Barber On behalf of the Auditor-General Wellington, New Zealand PricewaterhouseCoopers

17 Section VI Definition of testing terms The following are definitions of the terms used in the testing of key controls. 1. Enquiry: Enquired of appropriate personnel. Conducted enquiries seeking relevant information or representations from personnel, performed to obtain, among other things: 2. : - Knowledge, additional information and affirmation regarding the control of procedures. - Corroborating evidence of the controls. Inspected documents and records indicating performance of the controls. This may include, among other things: 3. Observation: - of reconciliations and management reports that age and/or quantify reconciling items to assess whether balances and reconciling items appear to be properly monitored, controlled and resolved on a timely basis, as required by the related control. - Examination of source documentation and authorisations related to selected transactions processed. - Examination of documents or records for evidence of performance, such as the existence of initials or signatures. - of the Reserve Bank s systems documentation, such as operations, manuals, flow charts and job descriptions. Observed the application or existence of specific controls as represented. 4. Re-performance: Re-performed the control or processing application of the controls to check the accuracy of their operation. This may include, among other things: - Obtaining evidence of the arithmetical accuracy and correct processing of transactions by performing independent calculations. - Re-performing the matching of various system records by independently matching the same records and comparing reconciling items to reconciliations prepared by the Reserve Bank. 17

18 Section VII Auditor s tests of operating effectiveness of key controls Se c tion 1 Se c urity ControlO b je c tive 1 NZClear security management procedures and application controls are adequate. b ) c ) d ) Procedures are in place for the creation and deletion of user accounts. Password parameters and login settings in the application are appropriate and comply with good practice. Administrator access in the application is appropriately restricted to users in line with business requirements. System education and training programs have been established and undertaken. Enquiry and Confirmed with management that a user administration policy exists for the creation and addition of users. Inspected user listings to confirm new and terminated users processed during the period 1 July June 2014 were appropriately approved. Inspected password parameters on the NZClear application and noted that passwords complied with good practice. Inspected a user access listing and confirmed administrator access was restricted to appropriate users based on their role and responsibilities. Enquiry and Confirmed with management that all new employees are involved in an induction process prior to using the System. Inspected the Reserve Bank s security policies. Inspected security declaration signoffs for a sample of employees. Inspected a sample of quarterly management affirmations to confirm employees were aware and have complied with security policies. 18

19 ControlO b je c tive 2 The Reserve Bank s internal and external network is adequately secured. Members must agree and sign the NZClear rules to abide by the Reserve Bank s network and access rules. Inspected a sample of new members added during the period ensuring a copy of the Reserve Bank s network and access rules had been signed. b ) c ) d ) e ) The Reserve Bank network topology is documented to ensure appropriate security mechanisms are in place. Only Reserve Bank staff can configure the routers supplied to members. Annually, the Reserve Bank performs a network security review. Vulnerabilities are identified and reviewed by senior management. Network security is regularly reviewed. Inspected the Reserve Bank network diagram to ensure appropriate security mechanisms are in place such as firewalls. Observation and Observed that access was restricted to authorised users through two factor authentication. Inspected the list of users who are able to configure to routers and assessed the appropriateness of access. Inspected router settings that limit configuration access to the Reserve Bank operations team. Enquiry and Enquired with management that an independent third party was engaged to perform a network security review on behalf of the Reserve Bank. Inspected evidence of the review and reporting of key findings. Confirmed through inspection that identified vulnerabilities were reviewed by management. For a sample of weeks, inspected evidence of weekly network security reviews identifying potential network vulnerabilities. Exception noted: Evidence of scans was not accessible for periods prior to September Reserve Bank Response: With a move to a new solution for scanning network security, this matter has now been resolved. 19

20 ControlO b je c tive 3 Access to system privileges within the underlying operating system is adequately secured. Access to system privileges at the operating system level requires manager approval. Enquiry and Confirmed with Datacom that all new users must be approved by a manager at Datacom or the Reserve Bank. Inspected a sample of approvals of new users added during the period. b ) c ) d ) Administrative access to the operating system is appropriately restricted. Password parameters and login settings at the operating system level are appropriate and comply with good practice. Privileged access to the operating system is logged and reviewed. Inspected a listing of all administrator users and confirmed with management that their access was appropriate. Obtained and inspected the operating system password settings and noted that passwords complied with good practice. Inspected a sample of monthly SLA reports that confirmed direct access to the operating system is logged and reviewed. 20

21 ControlO b je c tive 4 NZClear functionality is only available to appropriate users at appropriate levels. Administrator access in the application is appropriately restricted to users in line with business requirements. Inspected a user access listing and confirmed administrator access was restricted to appropriate users based on their role and responsibilities. b ) User accounts and access rights are reviewed regularly to ensure that these are appropriate. ControlO b je c tive 5 Access to the underlying database is adequately secured. Inspected a sample of the monthly user account reviews conducted over the user accounts and rights allocated. b ) c ) Access to system privileges at the database level requires manager approval. Privileged user accounts at the database level are regularly reviewed for appropriateness. Password parameters and login settings at the database level are appropriate. Enquiry and Confirmed with Datacom that all new users must be approved by a manager at Datacom or the Reserve Bank. Inspected a sample of approvals of new users added during the period. Obtained and inspected a sample of user accounts reviews at the database level. No exceptions noted Obtained and inspected the database password settings and noted that passwords complied with good practice. d ) Privileged access to the database is logged and reviewed. Inspected a sample of monthly SLA reports in which the third party vendor reports access over the database. 21

Reserve Bank of New Zealand NZClear System

Reserve Bank of New Zealand NZClear System Reserve Bank of New Zealand NZClear System Assessment of Observance of Principles for Financial Market Infrastructures July 2014 v1.1 2 Contents Introduction... 3 Document control... 4 Background on the

More information

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results Acquire or develop application systems software Controls provide reasonable assurance that application and system software is acquired or developed that effectively supports financial reporting requirements.

More information

Internal Control Guide & Resources

Internal Control Guide & Resources Internal Control Guide & Resources Section 5- Internal Control Activities & Best Practices Managers must establish internal control activities that support the five internal control components discussed

More information

Tom J. Hull & Company Type 1 SSAE 16 2014

Tom J. Hull & Company Type 1 SSAE 16 2014 Tom J. Hull & Company Type 1 SSAE 16 2014 REPORT ON MANAGEMENT S DESCRIPTION OF TOM J. HULL & COMPANY S SYSTEM AND THE SUITABILITY OF THE DESIGN OF CONTROLS Pursuant to Statement on Standards for Attestation

More information

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed

More information

Consultation Paper: Strategic review of the Reserve Bank of New Zealand s payment and settlement systems

Consultation Paper: Strategic review of the Reserve Bank of New Zealand s payment and settlement systems Consultation Paper: Strategic review of the Reserve Bank of New Zealand s payment and settlement systems The Reserve Bank invites submissions on this Consultation Paper by 18 July 2014. Submissions to

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

Aberdeen City Council IT Security (Network and perimeter)

Aberdeen City Council IT Security (Network and perimeter) Aberdeen City Council IT Security (Network and perimeter) Internal Audit Report 2014/2015 for Aberdeen City Council August 2014 Internal Audit KPIs Target Dates Actual Dates Red/Amber/Green Commentary

More information

Newcastle University Information Security Procedures Version 3

Newcastle University Information Security Procedures Version 3 Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations

More information

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4

More information

Autodesk PLM 360 Security Whitepaper

Autodesk PLM 360 Security Whitepaper Autodesk PLM 360 Autodesk PLM 360 Security Whitepaper May 1, 2015 trust.autodesk.com Contents Introduction... 1 Document Purpose... 1 Cloud Operations... 1 High Availability... 1 Physical Infrastructure

More information

Interim Audit Report. Borough of Broxbourne Audit 2010/11

Interim Audit Report. Borough of Broxbourne Audit 2010/11 Interim Audit Report Borough of Broxbourne Audit 2010/11 The Audit Commission is an independent watchdog, driving economy, efficiency and effectiveness in local public services to deliver better outcomes

More information

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c INFORMATION SECURITY MANAGEMENT SYSTEM Version 1c Revised April 2011 CONTENTS Introduction... 5 1 Security Policy... 7 1.1 Information Security Policy... 7 1.2 Scope 2 Security Organisation... 8 2.1 Information

More information

Guidance Statement GS 007 Audit Implications of the Use of Service Organisations for Investment Management Services

Guidance Statement GS 007 Audit Implications of the Use of Service Organisations for Investment Management Services GS 007 (March 2008) Guidance Statement GS 007 Audit Implications of the Use of Service Organisations for Investment Management Services Issued by the Auditing and Assurance Standards Board Obtaining a

More information

Information Security Policies. Version 6.1

Information Security Policies. Version 6.1 Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access

More information

COUNTRY SCHEDULE NEW ZEALAND

COUNTRY SCHEDULE NEW ZEALAND This document constitutes a Country Schedule as referred to in the Conditions and sets out country specific terms on which the Bank provides the Customer with one or more Accounts or Services in New Zealand

More information

How To Protect Decd Information From Harm

How To Protect Decd Information From Harm Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the

More information

Audit of NSERC Award Management Information System

Audit of NSERC Award Management Information System Internal Audit Audit Report Audit of NSERC Award Management Information System TABLE OF CONTENTS 1. EXECUTIVE SUMMARY... 2 2. INTRODUCTION... 3 3. AUDIT FINDINGS- BUSINESS PROCESS CONTROLS... 5 4. AUDIT

More information

STATEMENT OF AUDITING STANDARDS 300 AUDIT RISK ASSESSMENTS AND ACCOUNTING AND INTERNAL CONTROL SYSTEMS

STATEMENT OF AUDITING STANDARDS 300 AUDIT RISK ASSESSMENTS AND ACCOUNTING AND INTERNAL CONTROL SYSTEMS STATEMENT OF AUDITING STANDARDS 300 AUDIT RISK ASSESSMENTS AND ACCOUNTING AND INTERNAL CONTROL SYSTEMS (Issued January 1997; revised January 2004) SAS 300 (revised January 04) Contents Paragraphs Introduction

More information

REDCENTRIC MANAGED SERVER SERVICE DEFINITION

REDCENTRIC MANAGED SERVER SERVICE DEFINITION REDCENTRIC MANAGED SERVER SERVICE DEFINITION SD062 V1.4 Issue Date 01 July 2014 1) OVERVIEW The Managed Server service (MSS) provides access to Redcentric s 24x7 support capability, technical skills and

More information

Private Runtime Environment

Private Runtime Environment Private Runtime Environment 1. Principles A Private Runtime Environment (PRE) is an environment which enables Contractors to locate their resources in a segregated environment within premises provided

More information

General Computer Controls

General Computer Controls 1 General Computer Controls Governmental Unit: University of Mississippi Financial Statement Date: June 30, 2007 Prepared by: Robin Miller and Kathy Gates Date: 6/29/2007 Description of computer systems

More information

Office of Finance and Treasury

Office of Finance and Treasury Office of Finance and Treasury How to Accept & Process Credit and Debit Card Transactions Procedure Related Policy Title Credit Card Processing Policy For University Merchant Locations Responsible Executive

More information

EEA Life Settlements Fund PCC Limited

EEA Life Settlements Fund PCC Limited Report on Control Environment as at 30 April 2011 Incorporating an Independent Report by KPMG Channel Islands Limited dated 5 July 2011 Index Introduction 1 Fund structure 2 Organisation of responsibilities

More information

Electronic Trading Information Template

Electronic Trading Information Template Electronic Trading Information Template Preface This Electronic Trading Information Template (the "Template") has been created through the collaborative efforts of the professional associations listed

More information

Financial Services Guidance Note Outsourcing

Financial Services Guidance Note Outsourcing Financial Services Guidance Note Issued: April 2005 Revised: August 2007 Table of Contents 1. Introduction... 3 1.1 Background... 3 1.2 Definitions... 3 2. Guiding Principles... 5 3. Key Risks of... 14

More information

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - . Board Charter - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1. Interpretation 1.1 In this Charter: Act means the Companies

More information

CREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 5/25/2011

CREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 5/25/2011 CREDIT CARD MERCHANT PROCEDURES MANUAL Effective Date: 5/25/2011 Updated: May 25, 2011 TABLE OF CONTENTS Introduction... 1 Third-Party Vendors... 1 Merchant Account Set-up... 2 Personnel Requirements...

More information

INFORMATION TECHNOLOGY SECURITY STANDARDS

INFORMATION TECHNOLOGY SECURITY STANDARDS INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL

More information

PRIMARY DISCLOSURE STATEMENT AUTHORISED FINANCIAL ADVISER

PRIMARY DISCLOSURE STATEMENT AUTHORISED FINANCIAL ADVISER PRIMARY DISCLOSURE STATEMENT AUTHORISED FINANCIAL ADVISER Name and Registration Number of Authorised Financial Adviser: Martin Wisler Poulsen, FSP46183. Address: C/- First NZ Capital Securities Limited,

More information

GUIDELINES ON COMPLIANCE FUNCTION FOR FUND MANAGEMENT COMPANIES

GUIDELINES ON COMPLIANCE FUNCTION FOR FUND MANAGEMENT COMPANIES GUIDELINES ON COMPLIANCE FUNCTION FOR FUND MANAGEMENT COMPANIES Issued: 15 March 2005 Revised: 25 April 2014 1 P a g e List of Revision Revision Effective Date 1 st Revision 23 May 2011 2 nd Revision 16

More information

FUND MANAGER CODE OF CONDUCT

FUND MANAGER CODE OF CONDUCT FUND MANAGER CODE OF CONDUCT First Edition pursuant to the Securities and Futures Ordinance (Cap. 571) April 2003 Securities and Futures Commission Hong Kong TABLE OF CONTENTS Page INTRODUCTION 1 I. ORGANISATION

More information

RULES OF PROCEDURE FOR THE BOARD OF DIRECTORS, THE EXECUTIVE CHAIRMAN AND THE GENERAL MANAGER IN DOLPHIN GROUP ASA

RULES OF PROCEDURE FOR THE BOARD OF DIRECTORS, THE EXECUTIVE CHAIRMAN AND THE GENERAL MANAGER IN DOLPHIN GROUP ASA RULES OF PROCEDURE FOR THE BOARD OF DIRECTORS, THE EXECUTIVE CHAIRMAN AND THE GENERAL MANAGER IN DOLPHIN GROUP ASA ADOPTED BY THE BOARD OF DIRECTORS ON 27 APRIL 2015 1. THE BOARD OF DIRECTORS The Board

More information

Estate Agents Authority

Estate Agents Authority INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in

More information

Service Schedule for CLOUD SERVICES

Service Schedule for CLOUD SERVICES Service Schedule for CLOUD SERVICES This Service Schedule is effective for Cloud Services provided on or after 1 September 2013. Terms and Conditions applicable to Cloud Services provided prior to this

More information

RS Official Gazette, No 23/2013 and 113/2013

RS Official Gazette, No 23/2013 and 113/2013 RS Official Gazette, No 23/2013 and 113/2013 Pursuant to Article 15, paragraph 1 and Article 63, paragraph 2 of the Law on the National Bank of Serbia (RS Official Gazette, Nos 72/2003, 55/2004, 85/2005

More information

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University

More information

Appendix to Resolution No. 646/2011 of the Warsaw Stock Exchange Management Board dated 20 May 2011 (as amended)

Appendix to Resolution No. 646/2011 of the Warsaw Stock Exchange Management Board dated 20 May 2011 (as amended) Appendix to Resolution No. 646/2011 of the Warsaw Stock Exchange Management Board dated 20 May 2011 (as amended) Rules of providing current and periodical information in the alternative trading system

More information

N e t w o r k E n g i n e e r Position Description

N e t w o r k E n g i n e e r Position Description Position Title: Group/Division/Team Network Engineer Business Technology Services / IT Operations Division Date October 2011 Reports to Roles Reporting to This Primary Objective Decision Making Authority

More information

INFORMATION TECHNOLOGY CONTROLS

INFORMATION TECHNOLOGY CONTROLS CHAPTER 14 INFORMATION TECHNOLOGY CONTROLS SCOPE This chapter addresses requirements common to all financial accounting systems and is not limited to the statewide financial accounting system, ENCOMPASS,

More information

FMCF certification checklist 2014-15 (incorporating the detailed procedures) 2014-15 certification period. Updated May 2015

FMCF certification checklist 2014-15 (incorporating the detailed procedures) 2014-15 certification period. Updated May 2015 FMCF certification checklist 2014-15 (incorporating the detailed procedures) 2014-15 certification period Updated May 2015 The Secretary Department of Treasury and Finance 1 Treasury Place Melbourne Victoria

More information

THE BUDAPEST STOCK EXCHANGE LTD. REGULATIONS ON THE USE OF REMOTE TRADING

THE BUDAPEST STOCK EXCHANGE LTD. REGULATIONS ON THE USE OF REMOTE TRADING THE BUDAPEST STOCK EXCHANGE LTD. REGULATIONS ON THE USE OF REMOTE TRADING Date and reference no. of approval/modification resolutions by the Board of Directors: Date and reference no. of approval by Supervisory

More information

SRA International Managed Information Systems Internal Audit Report

SRA International Managed Information Systems Internal Audit Report SRA International Managed Information Systems Internal Audit Report Report #2014-03 June 18, 2014 Table of Contents Executive Summary... 3 Background Information... 4 Background... 4 Audit Objectives...

More information

BARRAMUNDI L IMITED RISK MANAGEMENT POLICY

BARRAMUNDI L IMITED RISK MANAGEMENT POLICY BARRAMUNDI L IMITED RISK MANAGEMENT POLICY Last updated: 25 August 2014 THE OBJECTIVES OF RISK MANAGEMENT Risk management is the systematic process of managing an organisation's risk exposures to achieve

More information

FORM 20A.9 SAMPLE AUDIT PROGRAM FOR TESTING IT CONTROLS. Date(s) Completed. Workpaper Reference

FORM 20A.9 SAMPLE AUDIT PROGRAM FOR TESTING IT CONTROLS. Date(s) Completed. Workpaper Reference FORM 20A.9 SAMPLE AUDIT PROGRAM FOR TESTING IT CONTROLS Workpaper Reference Date(s) Completed Organization and Staffing procedures used to define the organization of the IT Department. 2. Review the organization

More information

Reporting on Control Procedures at Outsourcing Entities

Reporting on Control Procedures at Outsourcing Entities Auditing Guidance Statement AGS 1042 (July 2002) Reporting on Control Procedures at Outsourcing Entities Prepared by the Auditing & Assurance Standards Board of the Australian Accounting Research Foundation

More information

Stock Plan Administration in the Age of Sarbanes-Oxley. Compliance Considerations for Administrators

Stock Plan Administration in the Age of Sarbanes-Oxley. Compliance Considerations for Administrators White Paper Stock Plan Administration in the Age of Sarbanes-Oxley Compliance Considerations for Administrators The information published in this paper is of a general nature and is intended merely as

More information

Mandatory Provident Fund Schemes Authority COMPLIANCE STANDARDS FOR MPF APPROVED TRUSTEES. First Edition July 2005. Hong Kong

Mandatory Provident Fund Schemes Authority COMPLIANCE STANDARDS FOR MPF APPROVED TRUSTEES. First Edition July 2005. Hong Kong Mandatory Provident Fund Schemes Authority COMPLIANCE STANDARDS FOR MPF APPROVED TRUSTEES First Edition July 2005 Hong Kong Contents Glossary...2 Introduction to Standards...4 Interpretation Section...6

More information

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date: A SYSTEMS UNDERSTANDING A 1.0 Organization Objective: To ensure that the audit team has a clear understanding of the delineation of responsibilities for system administration and maintenance. A 1.1 Determine

More information

Roles & Responsibilities for NHAIS (Exeter) System Key Users

Roles & Responsibilities for NHAIS (Exeter) System Key Users Document filename: NHAIS Key User Roles and Responsibilities.docx Directorate / Programme HSCIC Project SSD Document Reference DOC-00126 Project Manager Sean Walsh Status Approved Owner Norman Raphael

More information

Guidance Statement GS 011 Third Party Access to Audit Working Papers

Guidance Statement GS 011 Third Party Access to Audit Working Papers GS 011 (April 2009) Guidance Statement GS 011 Third Party Access to Audit Working Papers Issued by the Auditing and Assurance Standards Board GS 011-1 - GUIDANCE STATEMENT Obtaining a Copy of this Guidance

More information

Information Systems and Technology

Information Systems and Technology As public servants, it is our responsibility to use taxpayers dollars in the most effective and efficient way possible while adhering to laws and regulations governing those processes. There are many reasons

More information

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2 Policy Procedure Information security policy Policy number: 442 Old instruction number: MAN:F005:a1 Issue date: 24 August 2006 Reviewed as current: 11 July 2014 Owner: Head of Information & Communications

More information

Keyfort Cloud Services (KCS)

Keyfort Cloud Services (KCS) Keyfort Cloud Services (KCS) Data Location, Security & Privacy 1. Executive Summary The purposes of this document is to provide a common understanding of the data location, security, privacy, resiliency

More information

Information security controls. Briefing for clients on Experian information security controls

Information security controls. Briefing for clients on Experian information security controls Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face

More information

Decision on adequate information system management. (Official Gazette 37/2010)

Decision on adequate information system management. (Official Gazette 37/2010) Decision on adequate information system management (Official Gazette 37/2010) Pursuant to Article 161, paragraph (1), item (3) of the Credit Institutions Act (Official Gazette 117/2008, 74/2009 and 153/2009)

More information

Application to access Chesters Trade

Application to access Chesters Trade Application to access Chesters Trade Please fill in all details below: Account Number Company Name Company Phone Number Fax Number Contact Name Mobile Number Email Address Please review the Terms of Use

More information

GUIDELINE ON THE APPLICATION OF THE OUTSOURCING REQUIREMENTS UNDER THE FSA RULES IMPLEMENTING MIFID AND THE CRD IN THE UK

GUIDELINE ON THE APPLICATION OF THE OUTSOURCING REQUIREMENTS UNDER THE FSA RULES IMPLEMENTING MIFID AND THE CRD IN THE UK GUIDELINE ON THE APPLICATION OF THE OUTSOURCING REQUIREMENTS UNDER THE FSA RULES IMPLEMENTING MIFID AND THE CRD IN THE UK This Guideline does not purport to be a definitive guide, but is instead a non-exhaustive

More information

Commercial Crime Insurance Application Form

Commercial Crime Insurance Application Form Commercial Crime Insurance Application Form Please answer all questions fully, and including all subsidiaries. If there is insufficient space, please provide further details as appropriate. Copies of the

More information

CHAPTER 11 COMPUTER SYSTEMS INFORMATION TECHNOLOGY SERVICES CONTROLS

CHAPTER 11 COMPUTER SYSTEMS INFORMATION TECHNOLOGY SERVICES CONTROLS 11-1 CHAPTER 11 COMPUTER SYSTEMS INFORMATION TECHNOLOGY SERVICES CONTROLS INTRODUCTION The State Board of Accounts, in accordance with State statutes and the Statements on Auditing Standards Numbers 78

More information

Retention & Destruction

Retention & Destruction Last Updated: March 28, 2014 This document sets forth the security policies and procedures for WealthEngine, Inc. ( WealthEngine or the Company ). A. Retention & Destruction Retention & Destruction of

More information

Our Impacts: accurate base factor data supporting Audit Ready Output

Our Impacts: accurate base factor data supporting Audit Ready Output Our Impacts: accurate base factor data supporting Audit Ready Output Report on third party sourced base factors used within the Our Impacts platform as at 31 January 2014 and the design of internal controls

More information

CHESS. Clearing House Electronic Subregister System

CHESS. Clearing House Electronic Subregister System CHESS Clearing House Electronic Subregister System Exchange Centre, 20 Bridge Street, Sydney NSW 2000 Telephone: 1300 300 279 www.asx.com Information provided is for educational purposes and does not constitute

More information

Service Children s Education

Service Children s Education Service Children s Education Data Handling and Security Information Security Audit Issued January 2009 2009 - An Agency of the Ministry of Defence Information Security Audit 2 Information handling and

More information

SCOPE OF SERVICE Hosted Cloud Storage Service: Scope of Service

SCOPE OF SERVICE Hosted Cloud Storage Service: Scope of Service Hosted Cloud Storage Service: Scope of Service 1. Definitions 1.1 For the purposes of this Schedule: Access Account is an End User account with Data Storage requiring authentication via a username and

More information

Stockbrokers Crime and Professional Liabilities Application Form A. PARTICULARS OF APPLICANT

Stockbrokers Crime and Professional Liabilities Application Form A. PARTICULARS OF APPLICANT Stockbrokers Crime and Professional Liabilities Application Form Answer all the questions. If you answer any question in relation to a control or procedure as no please provide details of any alternative

More information

NZX LIMITED. Derivatives Market Procedures

NZX LIMITED. Derivatives Market Procedures NZX LIMITED Derivatives Market Procedures 6 OCTOBER 2010 Contents Section A: Interpretation and Construction 5 Section 1: General Provisions and Interpretation 7 Definitions Procedure 7 1.1 Exchange for

More information

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 WHITEPAPER Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 An in-depth look at Payment Card Industry Data Security Standard Requirements 10, 11,

More information

Information security policy

Information security policy Information security policy Issue sheet Document reference Document location Title Author Issued to Reason issued NHSBSARM001 S:\BSA\IGM\Mng IG\Developing Policy and Strategy\Develop or Review of IS Policy\Current

More information

Music Recording Studio Security Program Security Assessment Version 1.1

Music Recording Studio Security Program Security Assessment Version 1.1 Music Recording Studio Security Program Security Assessment Version 1.1 DOCUMENTATION, RISK MANAGEMENT AND COMPLIANCE PERSONNEL AND RESOURCES ASSET MANAGEMENT PHYSICAL SECURITY IT SECURITY TRAINING AND

More information

Advisory Guidelines of the Financial Supervisory Authority. Requirements regarding the arrangement of operational risk management

Advisory Guidelines of the Financial Supervisory Authority. Requirements regarding the arrangement of operational risk management Advisory Guidelines of the Financial Supervisory Authority Requirements regarding the arrangement of operational risk management These Advisory Guidelines have established by resolution no. 63 of the Management

More information

University of Liverpool

University of Liverpool University of Liverpool Information Security Policy Reference Number Title CSD-003 Information Security Policy Version Number 3.0 Document Status Document Classification Active Open Effective Date 01 October

More information

RISK MANAGEMENT PLAN

RISK MANAGEMENT PLAN RISK MANAGEMENT PLAN FSP name : Sentraal-Suid Koöperasie Beperk FSP number : 1107 person : James Ackhurst Sel. 082 388 0030, E-pos: james@ssk.co.za officer : Jaconette de Beer Sel. 082 820 9370, E-pos:

More information

Chapter 10 EQUITY SECURITIES RESTRICTIONS ON PURCHASE AND SUBSCRIPTION

Chapter 10 EQUITY SECURITIES RESTRICTIONS ON PURCHASE AND SUBSCRIPTION Chapter 10 EQUITY SECURITIES RESTRICTIONS ON PURCHASE AND SUBSCRIPTION Restrictions on Preferential Treatment of Purchase and Subscription Applications 10.01 Normally no more than ten per cent. of any

More information

Ellucian Cloud Services. Joe Street Cloud Services, Sr. Solution Consultant

Ellucian Cloud Services. Joe Street Cloud Services, Sr. Solution Consultant Ellucian Cloud Services Joe Street Cloud Services, Sr. Solution Consultant Confidentiality Statement The information contained herein is considered proprietary and highly confidential by Ellucian Managed

More information

investment portfolio service

investment portfolio service investment portfolio service overview Cavendish is a specialist administrator of Self Managed Superannuation Funds (SMSFs). Our overriding business objective is to provide our clients the Trustees of the

More information

Data Governance Policy. Staff Only Students Only Staff and Students. Vice-Chancellor

Data Governance Policy. Staff Only Students Only Staff and Students. Vice-Chancellor Name of Policy Description of Policy Policy applies to Data Governance Policy To establish proper standards to assure the quality and integrity of University data. This policy also defines the roles and

More information

Rotherham CCG Network Security Policy V2.0

Rotherham CCG Network Security Policy V2.0 Title: Rotherham CCG Network Security Policy V2.0 Reference No: Owner: Author: Andrew Clayton - Head of IT Robin Carlisle Deputy - Chief Officer D Stowe ICT Security Manager First Issued On: 17 th October

More information

APES 310 Dealing with Client Monies

APES 310 Dealing with Client Monies M EXPOSURE DRAFT ED 01/10 (April 2010) APES 310 Dealing with Client Monies Proposed Standard: APES 310 Dealing with Client Monies (Supersedes APS 10) [Supersedes APES 310 Dealing with Client Monies issued

More information

Guidance Note 4/07. Undertakings for Collective Investment in Transferable Securities (UCITS) Organisation of Management Companies.

Guidance Note 4/07. Undertakings for Collective Investment in Transferable Securities (UCITS) Organisation of Management Companies. 2013 Guidance Note 4/07 Guidance Note 4/07 Undertakings for Collective Investment in Transferable Securities (UCITS) Organisation of Management Companies February 2013 1 Contents A. Introduction 3 B. Information

More information

Corporate Governance Guidelines

Corporate Governance Guidelines Corporate Governance Guidelines 1. Introduction Entra ASA ( Entra ), and together with its subsidiaries, ( the group ) will be subject to the reporting requirements on corporate governance set out in 3

More information

Supplier IT Security Guide

Supplier IT Security Guide Revision Date: 28 November 2012 TABLE OF CONTENT 1. INTRODUCTION... 3 2. PURPOSE... 3 3. GENERAL ACCESS REQUIREMENTS... 3 4. SECURITY RULES FOR SUPPLIER WORKPLACES AT AN INFINEON LOCATION... 3 5. DATA

More information

INFORMATION TECHNOLOGY MANAGEMENT CONTENTS. CHAPTER C RISKS 357-7 8. Risk Assessment 357-7

INFORMATION TECHNOLOGY MANAGEMENT CONTENTS. CHAPTER C RISKS 357-7 8. Risk Assessment 357-7 Information Technology Management Page 357-1 INFORMATION TECHNOLOGY MANAGEMENT CONTENTS CHAPTER A GENERAL 357-3 1. Introduction 357-3 2. Applicability 357-3 CHAPTER B SUPERVISION AND MANAGEMENT 357-4 3.

More information

UK Access Management Federation For Education and Research Operator

UK Access Management Federation For Education and Research Operator UK Access Management Federation for Education and Research Federation Operator Procedures 1 st August 2011 Version 2.1 ST/AAI/UKF/DOC/005 Contents 1 Introduction 3 2 Membership application processing 3

More information

University of Sunderland Business Assurance Information Security Policy

University of Sunderland Business Assurance Information Security Policy University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant

More information

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 1. Obtain previous workpapers/audit reports. FIREWALL CHECKLIST Pre Audit Checklist 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 3. Obtain current network diagrams

More information

Spillemyndigheden s Certification Programme Information Security Management System

Spillemyndigheden s Certification Programme Information Security Management System SCP.03.00.EN.1.0 Table of contents Table of contents... 2 1 Introduction... 3 1.1 Spillemyndigheden s certification programme... 3 1.2 Objectives of the... 3 1.3 Scope of this document... 4 1.4 Definitions...

More information

Assessing the Adequacy and Effectiveness of a Fund s Compliance Policies and Procedures. December 2005

Assessing the Adequacy and Effectiveness of a Fund s Compliance Policies and Procedures. December 2005 Assessing the Adequacy and Effectiveness of a Fund s Compliance Policies and Procedures December 2005 Copyright 2005 Investment Company Institute. All rights reserved. Information may be abridged and therefore

More information

Electronic business conditions of use

Electronic business conditions of use Electronic business conditions of use This document provides Water Corporation s Electronic Business Conditions of Use. These are to be applied to all applications, which are developed for external users

More information

External Audit Reviews. Report by Director of Finance

External Audit Reviews. Report by Director of Finance THE HIGHLAND COUNCIL AUDIT AND STANDARDS COMMITTEE 4 DECEMBER 2003 Agenda Item Report No External Audit Reviews Report by Director of Finance SUMMARY The pages that follow contain a report from the Council's

More information

CHIS, Inc. Privacy General Guidelines

CHIS, Inc. Privacy General Guidelines CHIS, Inc. and HIPAA CHIS, Inc. provides services to healthcare facilities and uses certain protected health information (PHI) in connection with performing these services. Therefore, CHIS, Inc. is classified

More information

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India CIRCULAR CIR/MRD/DP/13/2015 July 06, 2015 To, All Stock Exchanges, Clearing Corporation and Depositories. Dear Sir / Madam, Subject: Cyber Security and Cyber Resilience framework of Stock Exchanges, Clearing

More information

BOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February 2006. Title: Information Security Policy

BOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February 2006. Title: Information Security Policy BOARD OF DIRECTORS PAPER COVER SHEET Meeting date: 22 February 2006 Agenda item:7 Title: Purpose: The Trust Board to approve the updated Summary: The Trust is required to have and update each year a policy

More information

REMOTE WORKING POLICY

REMOTE WORKING POLICY Reference number Approved by Information Management and Technology Board Date approved 30 April 2013 Version 1.0 Last revised Review date March 2014 Category Owner Target audience Information Assurance

More information

Section 3 CCASS Terminals/CCASS Phone System/CCASS Internet System/ Participant Gateways

Section 3 CCASS Terminals/CCASS Phone System/CCASS Internet System/ Participant Gateways 3/1 Section 3 CCASS Terminals/CCASS Phone System/CCASS Internet System/ Participant Gateways 3.1 DIRECT LINKAGE 3.1.1 Use of PCs for direct linkage to CCASS With the exception of Investor Participants

More information

APPENDIX 23 ATTACHMENT 1. City of Joondalup. 2014 Review of Financial Management Systems and Procedures. March 2015

APPENDIX 23 ATTACHMENT 1. City of Joondalup. 2014 Review of Financial Management Systems and Procedures. March 2015 APPENDIX 23 ATTACHMENT 1 City of Joondalup 2014 Review of Financial Management Systems and Procedures March 2015 Deloitte Touche Tohmatsu ABN 74 490 121 060 Woodside Plaza Level 14 240 St Georges Terrace

More information

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

Information Technology General Controls Review (ITGC) Audit Program Prepared by: Information Technology General Controls Review (ITGC) Audit Program Date Prepared: 2012 Internal Audit Work Plan Objective: IT General Controls (ITGC) address the overall operation and activities of the

More information

Financial Markets Authority Website: www.fma.govt.nz

Financial Markets Authority Website: www.fma.govt.nz Financial Markets Authority Website: www.fma.govt.nz Auckland Office Level 5, Ernst & Young Building 2 Takutai Square, Britomart PO Box 106 672 AUCKLAND 1143 Wellington Office Level 2 1 Grey Street PO

More information