General Computer Controls



Similar documents
CHAPTER 11 COMPUTER SYSTEMS INFORMATION TECHNOLOGY SERVICES CONTROLS

FORM 20A.9 SAMPLE AUDIT PROGRAM FOR TESTING IT CONTROLS. Date(s) Completed. Workpaper Reference

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

GENERAL APPLICATION FOR ELECTRONIC COMMUNICATION SYSTEM ( ECS ) INSURANCE

General IT Controls Audit Program

PART 10 COMPUTER SYSTEMS

IT - General Controls Questionnaire

INFORMATION TECHNOLOGY CONTROLS

Supplier Security Assessment Questionnaire

FINAL May Guideline on Security Systems for Safeguarding Customer Information

CHIS, Inc. Privacy General Guidelines

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Information System Audit. Arkansas Administrative Statewide Information System (AASIS) General Controls

Client Security Risk Assessment Questionnaire

Approved 12/14/11. FIREWALL POLICY INTERNAL USE ONLY Page 2

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

Information Technology General Controls (ITGCs) 101

Central Agency for Information Technology

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

DETAIL AUDIT PROGRAM Information Systems General Controls Review

University of Illinois at Chicago Health Sciences Colleges Information Technology Group Security Policies Summary

RL Solutions Hosting Service Level Agreement

Circular to All Licensed Corporations on Information Technology Management

OFFICE OF THE STATE AUDITOR General Controls Review Questionnaire

Department of Education audit - A Case Study

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

HIPAA Security COMPLIANCE Checklist For Employers

PierianDx - Clinical Genomicist Workstation Software as a Service FAQ s

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

Guideline on risk management and other aspects of internal control in central securities depository

How To Control Vcloud Air From A Microsoft Vcloud (Vcloud)

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Managed Services. Business Intelligence Solutions

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

ECSA EuroCloud Star Audit Data Privacy Audit Guide

Supplier Information Security Addendum for GE Restricted Data

HIPAA Information Security Overview

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:

SRA International Managed Information Systems Internal Audit Report

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

CUNY SCHOOL OF PROFESSIONAL STUDIES: DEPARTMENTAL RETENTION SCHEDULE 4/7/2014 OFFICE OF INFORMATION TECHNOLOGY

Information Systems Security Assessment

Guideline on risk management and other aspects of internal control in stock exchange

IT Sr. Systems Administrator

AUSTIN INDEPENDENT SCHOOL DISTRICT INTERNAL AUDIT DEPARTMENT TRANSPORTATION AUDIT PROGRAM

How To Ensure The C.E.A.S.A

Exhibit to Data Center Services Service Component Provider Master Services Agreement

Information System Audit Report Office Of The State Comptroller

Network & Information Security Policy

Disaster Recovery and Business Continuity Plan

UMHLABUYALINGANA MUNICIPALITY IT PERFORMANCE AND CAPACITY MANAGEMENT POLICY

An Oracle White Paper December Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

15 Organisation/ICT/02/01/15 Back- up

INCIDENT RESPONSE CHECKLIST

Updating the International Standard Classification of Occupations (ISCO) Draft ISCO-08 Group Definitions: Occupations in ICT

HIPAA Security Alert

Data Management Policies. Sage ERP Online

Supplier IT Security Guide

VMware vcloud Air HIPAA Matrix

Certified Information Systems Auditor (CISA)

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

Technical Standards for Information Security Measures for the Central Government Computer Systems

APPENDIX 3 TO SCHEDULE 3.3 SECURITY SERVICES SOW

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

RSA Authentication Manager 7.1 Security Best Practices Guide. Version 2

Master Document Audit Program

PA-DSS Implementation Guide for. Sage MAS 90 and 200 ERP. Credit Card Processing

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

SECTION 15 INFORMATION TECHNOLOGY

Sample Career Ladder/Lattice for Information Technology

Information Technology Branch Access Control Technical Standard

Autodesk PLM 360 Security Whitepaper

MCR Checklist for Automated Information Systems (Major Applications and General Support Systems)

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Print4 Solutions fully comply with all HIPAA regulations

Tom J. Hull & Company Type 1 SSAE

Music Recording Studio Security Program Security Assessment Version 1.1

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

PCI DSS Requirements - Security Controls and Processes

VIRGINIA STATE UNIVERSITY RISK ANALYSIS SURVEY INFORMATION TECHNOLOGY

Becoming PCI Compliant

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Indiana University of Pennsylvania Information Assurance Guidelines. Approved by the Technology Utilities Council 27-SEP-2002

Office of the State Controller. Self-Assessment of Internal Controls. Computer Security Cycle. Objectives and Risks

DHHS Information Technology (IT) Access Control Standard

White Paper. BD Assurity Linc Software Security. Overview

RESPONSIBLE COMPUTER USE POLICY (ADOPTED AUGUST 3, 2006)

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

The first step in protecting Critical Cyber Assets is identifying them. CIP-002 focuses on this identification process.

APPENDIX 8 TO SCHEDULE 3.3

Payment Card Industry Self-Assessment Questionnaire

Decision on adequate information system management. (Official Gazette 37/2010)

Classification: Computer Information Technology Specialist II (CITS II) Information Security Unit Title Code: V08005 Pay Range: 33

Transcription:

1 General Computer Controls Governmental Unit: University of Mississippi Financial Statement Date: June 30, 2007 Prepared by: Robin Miller and Kathy Gates Date: 6/29/2007 Description of computer systems and LANs in use (hardware and software). (It may be appropriate to complete a separate form for LANs.) [ ] Instructions: CRI will need to gain an understanding of the different processes that are dependent on the general computer system and the related controls that ensure the integrity of the computer output. Computer general control activities relate to information technology personnel and operations as a group rather than directly to specific financial statement assertions. Therefore, the letter P or S appears in the column next to each control activity to indicate whether it is to be a primary control ( P ) or a secondary control ( S ). This form is designed for either an in-house system or computer service organization. However, completion of this form is unnecessary for service centers if there is a suitable service auditor s report on the service organization s internal controls. Please complete this form for EACH of the systems used by the University and provide policies and procedures, organizational charts, narratives, and any other information that will be helpful in our understanding. 1. Organization controls tested through inquiry and observation a. The information technology (IT) department is independent of the departments it serves. b. IT personnel are prohibited from initiating or authorizing transactions. c. IT personnel are prohibited from initiating changes to master files. i. In circumstances when master file changes are made by IT personnel, appropriate procedures are followed to control the changes. d. Departments that initiate master file changes are given a report showing the changes that were made. e. Appropriate procedures are followed when IT personnel make corrections to errors in data files or applications. f. There is separation of duties between programmers, system administrators, and users. Procedures require requesting entity to identify and authorize May be necessary under extreme circumstances to resolve a critical issue S N/A SAP is a real-time transactional ERP. Areas of responsibility/usage clearly defined

2 g. The duties of IT personnel are rotated periodically. Typically on a biannual basis and as new systems/applications are deployed h. IT personnel are required to take annual vacations of at least one continuous week. N This is encouraged but not required i. During the vacationing personnel s absence, their duties are performed by other personnel. i. If there is an internal audit function, the internal auditors report to the audit committee on whether the computerized accounting applications are designed and operated to produce information that can be used to prepare financial statements that accurately represent the client s financial condition and results of operations. 2. Access controls tested through inquiry, observation, or document inspection. (If the entity has more than one computer system or a LAN, this section of the form should be completed for each system or LAN. To do so, a copy can be made and completed for each system or LAN.) Secondary and tertiary duties are assigned based on staffing S N/A a. One employee is assigned the responsibility for IT security. While IT has a named Security Coordinator there are various security responsibilities assigned throughout IT b. There are adequate physical controls to ensure that access to computer facilities is restricted to authorized personnel. c. Programmers are restricted from access to applications in live operation, job control language, and live data files. d. Procedures are in place to prevent testing of new or revised applications on live data files. e. Software users are prohibited from having access to source code, the compiler, and programming documentation. f. Access to application processing parameter databases or table files is restricted to authorized personnel, and changes to those files are adequately reviewed. g. Software utilities that can alter data or applications are adequately controlled and their usage is logged for subsequent management review. h. Access control software is used for terminals and workstations so that A proximity card system is used to control access. As applicable Test systems are in place for all major functions System audit features capture all changes

3 i. Access is limited to specified persons. As applicable via ACL s, firewall settings, client software/accounts ii. Individuals have access only to those applications or files that are necessary to perform their duties. Based on internal authorization roles i. If passwords are used to control terminal or workstation access: i. Procedures are established to determine that those passwords are confidential and unique. Requirements set, crackers used ii. Passwords are changed at regular intervals. Every 90 days iii. Passwords are promptly canceled for terminated employees. j. Regarding IT personnel who are terminated: i. They are released from sensitive duties immediately. ii. Their access to the IT system is suspended immediately. iii. Their actions are appropriately supervised until their departure from the premises. k. There are procedures to prevent remote access to the network through dial-up, Internet, or Virtual Private Network (for example, dial-back, polling lists, user ID, or passwords). l. If confidential or sensitive information is transmitted through public carrier networks (for example, by leased line), protection methods are used to prevent or detect unauthorized access, either through carrier security methods or independent methods (for example, encryption methods). m. For internal network traffic, procedures that are commensurate with data traffic sensitivity are in place to provide security over transmissions across the network. n. Intrusion detection systems are in place on the internal network to monitor the network. o. All data has been classified and appropriate risk ranking has been established that will support and provide evidence for the use of implemented network security controls. p. For centralized data centers, there are appropriate controls over access to system administrator instruction manuals. Daily updates supplied VPN/dial up requires managed account VPN and/or SSL is employed Client encryption S N Commercial IDS is not installed. Several local procedures are in place to monitor and react to any issues Data pools are identified and risk factors noted Physically secured

4 q. For decentralized, distributed client server systems, there are appropriate education, training, and support materials available for the system administrator and security administrator over the servers. 3. Application development controls tested through inquiry, observation, or document inspection. (If the entity has more than one computing platform, such as mainframe and LAN, this section of the form should be completed for each platform. To do so, a copy of this section can be made and completed for each platform.) The following control activities apply to all key applications, both those developed in-house and those purchased from third-party vendors. a. There are established procedures for development of new applications, as well as modifications of existing applications. i. Approval is required and obtained for development of new applications or programs, or for modifications of existing ones. b. Application development procedures give adequate consideration to development of adequate control features for the new or modified applications. c. Application development procedures require active involvement by the users (and internal audit, if applicable). d. Formal testing procedures have been established to check the functioning of new applications and modifications of existing applications (including testing of modifications made by vendors to purchased software). e. During the testing phase, the user group (or the personnel who will run the system for the user group) tests the application as a complete product, and performs testing under conditions similar to those in which the application or system is expected to be run. f. There are formal standards and procedures for documentation of new applications as well as modifications of existing applications. If managed by IT See IT Work Request linked from http://www.olemiss.edu/depts/it/projects.html. Project life cycles include phases for testing/implementing authorizations. Absolutely. The SAP Support Desk coordinates testing and roll-out. Functional users are invited to the IT or SAP training lab where they test application functionality. A typical project will include two or three of these sessions.

5 g. Procedures are in place to prevent unauthorized changes to applications, preferably as part of the entity s system development life cycle methodology. h. There are controls over the movement of new or modified code from development to testing and to the live operating environment. 4. System software controls tested through inquiry, observation, or document inspection. (System software includes the operating system, database management systems, telecommunications software, security software, utility software, file management systems, library management packages, compilers, sorts, job control software, and time-sharing software.) a. If entity personnel have the technical expertise and tools to develop or modify system software: i. Those personnel are prevented from having a detailed understanding of related applications and user controls over key files and transactions. ii. Those personnel are appropriately supervised. iii. The entity has controls over system software like those for application development in place (Items 3.a. h.). iv. Changes to the system software are reviewed and approved before moving them into the live operations environment. v. Changes to the system software are tested before moving them into the live operations environment. vi. Key system software parameters are periodically reviewed to ensure adequate use and governance of system resources and processing. vii. Maintenance and emergency software patches are installed and kept up to date per vendor specifications. 5. Operational controls tested through inquiry and document inspection. (If the entity has more than one computing platform, such as mainframe and LAN, this section of the form should be completed for each platform. To do so, a copy of this section can be made and completed for each platform.) The SAP landscape includes a sophisticated transport system that moves changes in a controlled manner across three systems: development, testing and production. Units are focused on defined segments Continuous monitoring of system resource usage/allocation though online tools Quarterly cycle for maintenance patches

6 a. Schedules are prepared and followed for processing of computer applications. b. Changes to work schedules are appropriately authorized and communicated to affected parties. c. Automated or manual logs are used to record system administrator activities and i. There are controls to ensure the completeness and accuracy of the logs. Via online calendar tracking ii. The logs are reviewed by appropriate supervisory As applicable personnel, and unusual entries are appropriately investigated. d. System administrators are required to report system failures, Maintained via call tracking system restart and recovery, or other unusual incidents, and those reports are reviewed by an appropriate official. e. System administrator instruction manuals (in the form of a printed manual or instructions that can be accessed on line) are available to each system administrator. f. System administrator instruction manuals contain the following: i. Setup of batch jobs and loading of operating systems or software (including applicable control statements or parameters used in processing). ii. Hardware components and data files to be used. iii. Input and output media to be used. iv. Termination of applications. v. Instructions on actions to be taken (such as rerun or restart procedures) if a process fails to operate properly. g. There are appropriate procedures to monitor system administrator compliance with prescribed operating procedures. h. There are appropriate procedures for back-up and storage of applications and data files. i. There is a documented background screening of IT personnel. HR Function j. Periodic security briefings are provided for IT personnel.

7 k. There are appropriate procedures to prevent test versions of applications from being run on live operating data and to control such tests when it is necessary to run them. l. In circumstances when system administrators must initiate input of data, procedures exist to allow the system administrators to determine whether the input is properly authorized. m. There are appropriate controls such as the following for situations when outside third parties (such as vendors from whom application or system software is licensed) are permitted to sign on to the client s system, for example, to perform problem determination and resolution procedures: i. The vendor must specifically request the client s authorization and a user ID and password (ideally a onetime use password) to sign on to the client s system. ii. The vendor must ask the client to turn on an activation switch that permits access to the system. iii. The client s procedures call for the client to call back vendors who initiate a request for access to the client s system to verify the identity and authority of the caller. 6. Disaster recovery/contingency planning tested through inquiry and observation a. Off-premises storage is maintained for: i. Master files and transaction files sufficient to recreate the current master files. Transport system employed for control This can be done electronically ii. Applications and related documentation. As applicable. Most applications and documentation are available from the vendor online. iii. Copies of the contingency plans. b. Contingency plans have been developed for alternative processing in the event of loss or interruption of the IT function. c. If contingency plans have been developed, the plans have S N been tested for adequacy in the event of a disaster. d. Copies of the backup files for the following are periodically tested to make certain that they are usable: i. Software copies. S N Only for restore purposes

8 ii. Master files. S N Only for restore purposes iii. Transaction or transaction history files. S N Only for restore purposes

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information