OFFICE OF THE STATE AUDITOR General Controls Review Questionnaire



Similar documents
DETAIL AUDIT PROGRAM Information Systems General Controls Review

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

Auditing in an Automated Environment: Appendix C: Computer Operations

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Supplier Security Assessment Questionnaire

IT - General Controls Questionnaire

FORM 20A.9 SAMPLE AUDIT PROGRAM FOR TESTING IT CONTROLS. Date(s) Completed. Workpaper Reference

HIPAA RISK ASSESSMENT

Information Systems Security Assessment

Client Security Risk Assessment Questionnaire

General Computer Controls

University of Illinois at Chicago Health Sciences Colleges Information Technology Group Security Policies Summary

1. Describe the staffing levels maintained in the IT department (change titles as needed): K. Tollefsen/1

Retention & Destruction

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

VIRGINIA STATE UNIVERSITY RISK ANALYSIS SURVEY INFORMATION TECHNOLOGY

Summary of Technical Information Security for Information Systems and Services Managed by NUIT (Newcastle University IT Service)

Approved 12/14/11. FIREWALL POLICY INTERNAL USE ONLY Page 2

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Intel Enhanced Data Security Assessment Form

Tk20 Network Infrastructure

CHIS, Inc. Privacy General Guidelines

Procedure Title: TennDent HIPAA Security Awareness and Training

Information System Audit Report Office Of The State Comptroller

Supplier Information Security Addendum for GE Restricted Data

ISO Controls and Objectives

ELECTRONIC INFORMATION SECURITY A.R.

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

DISASTER RECOVERY PLAN

ISO27001 Controls and Objectives

Ms. Debbie Davenport Auditor General Office of the Auditor General 2910 North 44 th Street, Suite 410 Phoenix, Arizona Dear Ms.

Security Control Standard

e-governance Password Management Guidelines Draft 0.1

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL

Autodesk PLM 360 Security Whitepaper

CHAPTER 11 COMPUTER SYSTEMS INFORMATION TECHNOLOGY SERVICES CONTROLS

Best Practices For Department Server and Enterprise System Checklist

Table Of Contents. - Microsoft Windows - WINDOWS XP - IMPLEMENTING & SUPPORTING MICROSOFT WINDOWS XP PROFESSIONAL...10

IT Security Procedure

The first step in protecting Critical Cyber Assets is identifying them. CIP-002 focuses on this identification process.

MCR Checklist for Automated Information Systems (Major Applications and General Support Systems)

by New Media Solutions 37 Walnut Street Wellesley, MA p f Avitage IT Infrastructure Security Document

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Walton Centre. Document History Date Version Author Changes 01/10/ A Cobain L Wyatt 31/03/ L Wyatt Update to procedure

I. EXECUTIVE SUMMARY. Date: June 30, Sabina Sitaru, Chief Innovation Officer, Metro Hartford Innovation Services

FINAL May Guideline on Security Systems for Safeguarding Customer Information

INFORMATION TECHNOLOGY CONTROLS

How To Ensure The C.E.A.S.A

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

modules 1 & 2. Section: Information Security Effective: December 2005 Standard: Server Security Standard Revised: Policy Ref:

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

ACCEPTING PAYMENT CARD ASSESSMENT Pre-Selection Questionnaire

City of Berkeley. Information Systems General Controls Audit

Information Disclosure Guidelines for Safety and Reliability of ASP / SaaS

REVIEW OF THE INTERNAL CONTROLS OF THE RTA S INFORMATION SYSTEM

PERSONAL COMPUTER SECURITY

Oracle Database Review Security Controls and Other Issues Toronto Public Library Management Response

PREMIER SUPPORT STANDARD SERVICES BRONZE SILVER GOLD

Exhibit to Data Center Services Service Component Provider Master Services Agreement

PART 10 COMPUTER SYSTEMS

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

SERVICES BRONZE SILVER GOLD PLATINUM. On-Site emergency response time 3 Hours 3 Hours 1-2 Hours 1 Hour or Less

AUDIT GUIDELINES FOR SCHOOL DISASTER RECOVERY PLANNING

Department of Information Technology Data Center Disaster Recovery Audit Report Final Report. September 2006

April promoting efficient & effective local government

SCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards

Small Business IT Risk Assessment

Microsoft Windows Client Security Policy. Version 2.1 POL 033

Standard: Data Center Security

Master Document Audit Program

Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013

Managed ICT Services. User Guide. Possibilities that are built in. Telstra Corporation Limited ABN

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Information Shield Solution Matrix for CIP Security Standards

DHHS Information Technology (IT) Access Control Standard

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Certified Information Systems Auditor (CISA)

The Practice of Internal Controls. Cornell Municipal Clerks School July 16, 2014

BNA FEDERAL CREDIT UNION DISASTER RECOVERY PLAN

SECURITY VULNERABILITY CHECKLIST FOR ACADEMIC AND SMALL CHEMICAL LABORATORY FACILITIES

Achieving PCI Compliance for: Privileged Password Management & Remote Vendor Access

Template for BUSINESS CONTINGENCY PLAN

How To Manage Security On A Networked Computer System

Information Disclosure Guidelines for Safety and Reliability of IaaS / PaaS

Transcription:

OFFICE OF THE STATE AUDITOR Agency: * University Please answer all of the following questions. Where we ask for copies of policies and procedures and other documentation, we would prefer this in electronic format if possible. For questions, which require more clarification, notify us and we will explain the information to you. Please do not wait until you complete the entire questionnaire before submitting your responses to us. As you complete each section, forward this information to us so we can begin our review. On all attachments, please indicate the source, or person submitting the information provided in the event we have to follow up with further questions. We would request that all questions be completed by, 2001. If you have any additional questions, please contact Michael Burch at (919) 807-7523 or email at Michael_Burch@ncauditor.net. General Issues 1. Please provide us with a description of your computer systems, including: Processor Operating System (including version) Security Software (including version) Major application systems and major user department for application, including a user contact person for each application. 2. Describe any non-mainframe systems under the control of the Information Systems (IS) Department, such as a PC-based Cashiering System or One-Card System. Describe the application, the major user department with contact person, how does the system interface with the mainframe application systems. Describe the computer system on which the application runs. 3. Describe any other department performing information system functions (programming, or processing) or have their own servers. Examples would be standalone system for the Cashier's Office, One-Card Office, and Bookstore. Please describe the application, computer system on which it runs, and any interface with the mainframe applications. Provide us with the name and phone number of the responsible person in the department. 4. Describe any major changes in the data processing environment for the agency in the past five years. 5. Provide an organizational chart for the agency, showing the reporting responsibilities for the IS Department and Internal Audit Function. Provide an organizational chart for the IS Department showing responsibilities and reporting relationships. Provide staff names for each position.

OFFICE OF THE STATE AUDITOR Agency: * 6. Provide name, title, phone numbers, email addresses, work schedules for each key staff member. For key personnel provide planned scheduled vacation and time off for the next two months. Provide the user ids for key personnel. 7. Define the privileged user ids for the system. Describe the function the person with these ids perform and the reason for the privileges given. 8. Provide training and conferences attended by each staff member during the past year and plans attendance for the next year. 9. Has the internal auditor performed any type of IS audit. If so, please provide us a copy of the report and current status of findings and recommendations. Also, provide us the name and phone number of the internal auditor. 10. Has there been any independent audits or reviews performed for any data processing application or computer system. If so, describe who performed the audit or review and provide a copy of the report. Also, provide the current status of any audit finding and recommendations. 11. Provide a description of the security function. Who defines security policies and procedures? Who performs various security related functions such as approving users' access levels, granting access rights, resetting user ids and passwords, monitoring users system activities, monitoring intrusion attempts, and reviewing security activities. Who performs application level security such as FRS, SIS, and HRS and for any non-mainframe applications such as the One-Card System? General Security Issues 1. Please provide us with your policies regarding external access by other organizations or individuals outside the agency. i.e., vendors, contractors, etc. 2. Do you have a security education program for staff and end users? If so, please provide us a copy of the documentation. Access Control 1. What access control software do you use to protect your critical applications and sensitive information? 2. Do you have a policy regarding ownership of application systems data files? 3. Please provide us with a copy of your information security policies and procedures.

OFFICE OF THE STATE AUDITOR Agency: * University 4. Do you have program library policies and procedures? If so, do you have separate libraries for (1) development, (2) test, and (3) production programs? 5. What are the names of your development, test and production source and object libraries? 6. What is your file naming convention? 7. Are all users personally identified when they log on to the network, not through group or terminal identifiers? 8. What are your policies and procedures for passwords? Minimum and Maximum length for passwords? Are null passwords allowed? How often does the system forces password changes? Are there any passwords set to never expire? If so, why? How many password history versions are maintained? How many unsuccessful attempts are allowed before intrusion detection is activated? Is the user id inactivated after a defined number of unsuccessful logon attempts? Is anyone notified of possible intrusion attempts? If so, what are the policies and procedures followed if a possible intrusion attempt is detected? 9. Does the software log and report all attempted security violations? If so, who is responsible for monitoring and responding to attempted security violations? Program Security 1. Provide us with the access rights for all persons who have read, write, or execute access for the application program libraries. Be sure to include default access rights granted to all users. 2. Do you maintain logs on user access to the application program libraries?

OFFICE OF THE STATE AUDITOR Agency: * Systems Development 1. Please provide us with your most current information systems strategic plan. 2. Have you adopted a systems development methodology? If so, provide us with a copy of the methodology used. 3. Please provide us with your documentation standards. 4. Are there mandatory project management policies and procedures for each large project? If so, please provide us with a copy. Program Maintenance 1. Do you have any program change policies and procedures? If so, please briefly describe or provide us with these policies and procedures. 2. Are proposed program changes are requested in writing, approved by the user department, approved by the program maintenance department, assigned to a programmer, and classified as major, minor or emergency? 3. Are program changes tested, approved, and documented? 4. Are changes reviewed and approved by both user and information systems department management? Is approval documented? 5. Do procedures ensure that system; program, operations and user documentation is updated as needed for program changes? 6. Is there a streamlined set of the above procedures for minor changes, such as program fixes? 7. What procedures ensure that only authorized program changes are moved into the production libraries? 8. Who moves the modified programs into production? Does someone other than the programmer moves programs into production. If no, is there any logging and monitoring of the programmers' activities for the production libraries?

OFFICE OF THE STATE AUDITOR Agency: * University If a person other than the programmer moves the program into production, does the person who moves the source program, recompiles it, and moves the new object code into the production library. 9. There is an alternate set of procedures for emergency changes, such as system crashes during peak processing periods. If so, describe the difference. 10. Do you use library management software to control the movement of programs between production and test libraries? Physical Security 1. Have you recently performed a formal vulnerability or risk assessment? If so, please provide us with the assessment documents. 2. Are there fire and smoke detectors located in (a) the computer room, (b) the tape library, (c) supply storage areas, (d) rooms adjacent to the computer room, (e) heating and air conditioning vents, and (f) under raised floors? If so, how often are they tested? 3. Do the fire and smoke detectors, and other alarms automatically notify the center management, security group, or the local police and fire departments? 4. Is fire fighting equipment, such as fire extinguishers, readily accessible throughout the center? Does the computer room contain water sprinklers? 5. Is the center protected from environmental hazards such as water damage, heat and humidity? 6. Is the center protected from electrical power fluctuations and outages? 7. Are the computer areas (computer room, tape library, supply storage rooms, and other rooms adjacent to the computer room) properly restricted to personnel with assigned duties in those locations? 8. Do employees receive training and instructions concerning emergency procedures?

OFFICE OF THE STATE AUDITOR Agency: * Operations Procedures 1. What type of training do the production control technicians and computer operators receive? 2. What type of automated operations software does the center use? 3. Please describe or provide us with a copy of the operator job handling procedures? 4. Do the procedures ensure: a) All production jobs are authorized and requested by users. b) Jobs are scheduled to ensure that they are run, and run in the proper sequence. c) All production jobs are accounted for through a review of scheduled jobs. 5. Do you have a tape librarian and an automated tape inventory system? 6. Does your operating system or the tape management system check tape names at the beginning of processing? 7. Do you have a help desk function? What are their responsibilities? Systems Software 1. Who is responsible for maintaining the systems software within the center? 2. Please provide us with a copy of the center's systems software maintenance and documentation standards. 3. Please provide us with a list of recently installed upgrades or changes. 4. Do you have a method of documenting and resolving systems software problems detected during testing or operations? 5. Do you maintain any user written software or local code to supplement the vendor supplied systems software? If so, are there policies that restrict the use of local code as much as possible, and procedures to develop, test and maintain local code?

OFFICE OF THE STATE AUDITOR Agency: * University 6. Do you have policies to ensure application systems are compatible with expected versions of systems software? If so, please provide us a copy of the policies. Telecommunications 1. Please provide us with a copy of the center's most recent network diagrams. 2. Has the center performed a risk assessment to identify sensitive data on the network or high-risk users of the network? If so, please provide us a copy of the assessment. 3. Does the communications equipment ensure that transmissions are complete and accurate? 4. Does the computer center have dial-in users connecting directly to the mainframe or network servers? If so, what procedures are used to confirm the identity of dial-in users? 5. Does the network routing scheme assign addresses and maintain its routers to support the correct routing of information? 6. Do you use network encryption practices? Do you maintain public key directories? 7. What network management software do you use? Is it restricted to persons who need it to perform their job duties? If so, how?

OFFICE OF THE STATE AUDITOR Agency: * Disaster Recovery Planning 1. What is the current backup schedule for data files, application programs, and system software. Are the backup tapes taken off-site? If so, what is the off-site schedule? 2. Please provide us with a copy of the backup policies and procedures. Do these policies and procedures cover critical data and applications on standalone systems and for systems not under the control of Information Systems Department.? 3. Please provide us with a copy of your disaster recovery plan.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information