Information Technology General Controls (ITGCs) 101



Similar documents
AUSTIN INDEPENDENT SCHOOL DISTRICT INTERNAL AUDIT DEPARTMENT TRANSPORTATION AUDIT PROGRAM

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

General Computer Controls

San Francisco Chapter. Information Systems Operations

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

Mecklenburg County Department of Internal Audit. PeopleSoft Application Security Audit Report 1452

The Information Systems Audit

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

How To Control Vcloud Air From A Microsoft Vcloud (Vcloud)

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Client Security Risk Assessment Questionnaire

Cloud Computing. Cloud Computing An insight in the Governance & Security aspects

Information Blue Valley Schools FEBRUARY 2015

Miami University. Payment Card Data Security Policy

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Department of Public Utilities Customer Information System (BANNER)

Better secure IT equipment and systems

Vendor Audit Questionnaire

Protecting Official Records as Evidence in the Cloud Environment. Anne Thurston

This policy shall be reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment.

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Ellucian Cloud Services. Joe Street Cloud Services, Sr. Solution Consultant

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

PART 10 COMPUTER SYSTEMS

PDS (The Planetary Data System) Information Technology Security Plan for The Planetary Data System: [Node Name]

Attachment A. Identification of Risks/Cybersecurity Governance

Practical Guidance for Auditing IT General Controls. September 2, 2009

Critical Controls for Cyber Security.

MUSC Information Security Policy Compliance Checklist for System Owners Instructions

Audit of Policy on Internal Control Information Technology General Controls (ITGCs) Audit

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Application controls testing in an integrated audit

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

Attachment E. RFP Requirements: Mandatory Requirements: Vendor must respond with Yes or No. A No response will render the vendor nonresponsive.

Domain 1 The Process of Auditing Information Systems

VMware vcloud Air HIPAA Matrix

VA Office of Inspector General

University of Central Florida Class Specification Administrative and Professional. Information Security Officer

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:

CHAPTER 11 COMPUTER SYSTEMS INFORMATION TECHNOLOGY SERVICES CONTROLS

External Penetration Assessment and Database Access Review

Network and Security Controls

Information Shield Solution Matrix for CIP Security Standards

FINAL May Guideline on Security Systems for Safeguarding Customer Information

TECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS

Post-Class Quiz: Business Continuity & Disaster Recovery Planning Domain

University of Illinois at Chicago Health Sciences Colleges Information Technology Group Security Policies Summary

OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

AUDITING TECHNIQUES TO ASSESS FRAUD RISKS IN ELECTRONIC HEALTH RECORDS

BKDconnect Security Overview

Office of Inspector General

VA Office of Inspector General

An Introduction to HIPAA and how it relates to docstar

Supplier Security Assessment Questionnaire

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

State of Wisconsin DET File Transfer Protocol Service Offering Definition (FTP & SFTP)

Office of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget

OFFICE OF AUDITS & ADVISORY SERVICES IT DISASTER RECOVERY AUDIT FINAL REPORT

Plain English Guide To Common Criteria Requirements In The. Field Device Protection Profile Version 0.75

Information Technology Auditing for Non-IT Specialist

Security Management. Keeping the IT Security Administrator Busy

by: Scott Baranowski Community Bank Auditors Group Best Practices in Auditing Record Retention, Safeguarding Paper Documents, GLBA and Privacy

PeopleSoft IT General Controls

STATEMENT OF JOHN E. MCCOY II DEPUTY ASSISTANT INSPECTOR GENERAL FOR AUDITS U.S. DEPARTMENT OF HOMELAND SECURITY BEFORE THE

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

HIPAA Security Alert

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Union County. Electronic Records and Document Imaging Policy

Music Recording Studio Security Program Security Assessment Version 1.1

The Protection Mission a constant endeavor

NSERC SSHRC AUDIT OF IT SECURITY Corporate Internal Audit Division

ACCEPTING PAYMENT CARD ASSESSMENT Pre-Selection Questionnaire

IT - General Controls Questionnaire

IT Sr. Systems Administrator

Circular to All Licensed Corporations on Information Technology Management

Newcastle University Information Security Procedures Version 3

Sarbanes-Oxley Compliance for Cloud Applications

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

SAP SECURITY CLEARING THE CONFUSION AND TAKING A HOLISTIC APPROACH

Cloud Computing Governance & Security. Security Risks in the Cloud

INCIDENT RESPONSE CHECKLIST

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

CHIS, Inc. Privacy General Guidelines

Information System Audit. Arkansas Administrative Statewide Information System (AASIS) General Controls

Transcription:

Information Technology General Controls (ITGCs) 101 Presented by Sugako Amasaki (Principal Auditor) University of California, San Francisco December 3, 2015 Internal Audit Webinar Series

Webinar Agenda Introduction Why are IT General Controls Important? Types of Controls IT General Controls Review - Audit Process IT General Controls Review - Overview and Examples Access to Programs and Data Program Changes and Development Computer Operations Q&A

Why are IT General Controls Important? IT systems support many of the University s business processes, such as these below: Finance Purchasing Research Patient care Inventory Payroll We cannot rely on IT systems or data therein without effective IT General Controls

Why are IT General Controls Important? Financial Objectives, such as: - Completeness - Accuracy - Validity - Authorization Operational & IT Objectives, such as: - Confidentiality - Integrity - Availability - Effectiveness and Efficiently Ineffective ITGCs = No achievement of business objectives

Types of Controls How are controls implemented? Automated Controls Manual Controls Partially Automated Controls What are controls for? Preventive Controls Detective Controls Corrective Controls

IT General Controls Review - Audit Process 1. Understand and identify the IT Environment and systems to be reviewed 2. Perform interviews, walkthroughs, and documentation reviews to gain an understanding on processes 3. Assess appropriateness of existing control environment (control design) 4. Validate existing controls to assess control operating effectiveness

IT General Controls Review - Overview Access to Program and Data IT General Controls Access to Program and Data Program Changes Program Development Computer Operations Risk: Unauthorized access to program and data may result in improper changes to data or destruction of data. Objectives: Access to program and data is properly restricted to authorized individuals only.

IT General Controls Review - Overview Access to Programs and Data Access to programs and data components to be considered: Policies and procedures User access provisioning and de-provisioning Periodic access reviews Password requirements Privileged user accounts Physical access Appropriateness of access/segregation of duties Encryption System authentication Audit logs Network security

Area Existing Control Design How to Test/Validate User access provisioning User access de-provisioning Periodic access reviews Password requirements Privileged user accounts Physical access IT General Controls Review - Example Access to Programs and Data A formal process for granting or modifying system access (based on appropriate level of approval) is in place. A formal process for disabling access for users that are transferred or separated is in place. Periodic access reviews of users, administrators, and third-party vendors are performed. Unique (to individual) and strong passwords are used. Accounts having privileged system access rights (e.g. servers, databases, applications, and infrastructure) are limited to authorized personnel. Only authorized personnel are allowed to access secured areas and computer facilities. Review an evidence of approval Compare existing user accounts with a list of users that are transferred or separated Review an evidence of periodic reviews Assess password rules enforced Review accounts with privileged access rights Walkthrough of areas (e.g. data center, backup storage etc.)

IT General Controls Review - Overview Program Changes and Development IT General Controls Access to Program and Data Program Changes Program Development Computer Operations Risk: Inappropriate changes to systems or programs may result in inaccurate data. Objectives: All changes to existing systems are properly authorized, tested, approved, implemented and documented. Risk: Inappropriate system or program development or implementation may result in inaccurate data. Objectives: New systems/applications being developed or implemented are properly authorized, tested, approved, implemented and documented.

IT General Controls Review - Overview Program Changes and Development Program changes and development components to be considered: Change management procedures and system development methodology Authorization, development, implementation, testing, approval, and documentation Migration to the production environment (Separation of Duties (SOD)) Configuration changes Emergency changes Data migration and version controls Post change/implementation testing and reviews

Area Existing Control Design How to Test/Validate Change management controls Change documentation A formal process for proper change management is in place. All changed made to systems (e.g. servers, databases, applications, batch jobs and infrastructure) are documented and tracked. Review/assess change management procedures and validate that procedures are followed Review change logs Testing Appropriate level of testing is performed. Review an evidence of test plans and results Approval Migration IT General Controls Review - Example Program Changes and Development Appropriate approval prior to migration to production is required. Access to migrate changes into production is appropriately restricted. Review an evidence of approval Verify that a separation of duties (SOD) between developers and operators (= making changes) exists

IT General Controls Review - Overview Computer Operations IT General Controls Access to Program and Data Program Changes Program Development Computer Operations Risk: Systems or programs may not be available for users or may not be processing accurately. Objectives: Systems and programs are available and processing accurately.

IT General Controls Review - Overview Computer Operations Computer operations components to be considered: Batch job processing Monitoring of jobs (success/failure) Backup and recovery procedures Incident handling and problem management Changes to the batch job schedules Environmental controls Disaster Recovery Plan (DRP) and Business Continuity Plan (DRP) Patch management

Batch job processing Area Existing Control Design How to Test/Validate Monitoring of jobs Backup and recovery Problem/issue management IT General Controls Review - Example Computer Operations Batch jobs are appropriately scheduled, processed, monitored, and tracked. Failed jobs are followed-up and documented (including successful resolutions and explanations) Backups for critical data and programs are available in the event of an emergency. A formal process for problem/issue handling is in place in order to ensure timely identification, escalation, resolution and documentation of problem. Review/assess procedures for batch job processing and monitoring and validate that procedures are followed Validate that failed jobs are followed-up and documented Review/assess procedures for backup and recovery and validate that procedures are followed Review/assess procedures for problem/issue management and validate that procedures are followed

Conclusion/Q&A

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information