Presenter: Ben Miron September 9, 2008
|
|
- Anissa Pierce
- 6 years ago
- Views:
Transcription
1 Understanding IT General Controls Presenter: Ben Miron September 9, 2008
2 Session Objectives Understand the IT Environment Define and Identify IT General Controls Develop an understanding for the IT audit process Conduct an IT General Controls Walkthrough Example Tests of IT Controls Conclude and Document our Results 2
3 IT Environment Understand the IT Environment Purpose: Identifyall significant applications andinfrastructure Relationship between process and applications Relationship between applications and infrastructure Indicate where we might want to rely on electronic audit evidence Identify areas on which to focus our review 3
4 IT Environment IT Environment Application Controls IT General Controls 4
5 IT General Control Approach (COSO / Cobit Approach) Objectives Co omponent ts Control Environment Risk Assessment Control Activities Information and Communication F unctions Units Monitoring 5
6 Categories of Controls Manual Manual Controls Type Of Co ontrol Automated t IT-Dependent Manual Controls Application Controls IT Gen neral Contr rols Prevent Detect Misstatement In The Financial Statements Support The Continued Functioning Of Automated Aspects Of Prevent And Detect Controls Objective Of Control 6
7 Effect of ITGC on Application Controls Effective IT general controls: Help make sure that application controls function effectively over time Ineffective IT general controls: Application controls might ihtstill operate effectively Affects both financial statement and internal control audit strategy, such as thenature nature, timing, and extent of tests of application controls 7
8 IT GeneralControl Objectives Change Management: Only appropriately authorized, tested and approved changes are made Logical Access: Only authorized persons have access to the system and they can only perform specifically authorized functions Other IT General Controls (including IT operations): Process to determining that IT resources and applications continue to function as intended dover time 8
9 Logical Access Controls General system security settings are appropriate. Password settings are appropriate. Access to privileged IT functions is limited to appropriate p individuals. Access to system resources and utilities is limited to appropriate individuals. User access is authorized and appropriately established. Physical access to computer hardware is limited to appropriate individuals. id Logical access process is monitored. Segregation of incompatibleduties exists within logicalaccess access environment. 9
10 Other IT General Controls Financial data has been backed up and is recoverable. Deviations from scheduled processing are identified and resolved in a timely manner. IT Operations problems or incidents are identified, resolved, reviewed, and analyzed in a timely manner. 10
11 Manage Change and Logical Access
12 Manage Change What is the manage change scope? New system implementations (SDLC) Upgrade of existing iti system Addition of new functionality to an existing system New or changed interfaces connecting different applications Minor enhancement Patch to an existing system Emergency changes Configuration changes 12
13 Manage Change Controls Changes are authorized. Changes are tested. Changes are approved. Changes are monitored. Segregation of incompatible duties exists within the manage change environment. Example: Multiple Applications with different change processes Meditech Change Process 1 Lawson Change Process 2 PeopleSoft 13
14 Logical Access Process Components User ID Maintenance System Settings Maintenance Monitoring And more Logical Security Procedures Configurations Policies Security Policy Confidentiality Policy Data Definition Policy Policy Awareness Programs And more System Configurations Groups and Profiles Super Users Password Settings Segregation of Duties Logical laccess Path And more 14
15 Conducting IT General Control Walkthroughs
16 Walkthroughs: The Purpose Why do we perform walkthroughs? To confirm: Our understanding of the processing procedures Our understanding of the relevant controls That relevant controls have been placed in operation and are operating effectively Our documentation 16
17 Walkthroughs: The Methods Methods odsof gathering g evidence ceduring walkthroughs: Inquiring of a client to corroborate our understanding Selecting an item over which the controls are designed to operate and inspecting evidence of the operation of the controls on that item Examining the client s documentation of the control s design Examining reports used to monitor the controls Observing whether the process owner or others act upontheresults of thecontrols 17
18 Walkthroughs: The Results Following our walkthrough, we make a preliminary evaluation of the effectiveness of controls The preliminary evaluation is made for each IT general control 18
19 Tests of Controls
20 Tests of Controls Determine whether the controls: Operated as we understood they would operate Were applied throughout the period of intended reliance Were applied on a timely basis Encompassed applicable transactions Were based on reliable information Resulted in the timely correction of any errors identified 20
21 Tests of Controls Nature What are the different ways we can test controls? Inquiry Observation Inspection Re performance Inquiry alone does not provide sufficient evidence that the control operated throughout the period of intended reliance. 21
22 Tests of Controls Exceptions What is an exception? An internal control exception occurs when we find that the control we are testing did not operate as intended. We investigate all internal control exceptions to determine: Our understanding is correct Their causes and implications The potential effects on other audit procedures The appropriate reporting to management and the audit committee 22
23 Tests of Controls Example Program Changes: Program change requests from the business line filter through the Business System Administrator, i who determines if the change is valid. s the request to IT and a completed Issue Tracker form to the account. The Issue Tracker form lists the requestor s name and details the problem encountered. The request is then input into an Access Database and assigned a ticket number for tracking purposes. p Changes to application source code must be done by the vendor. Accordingly, requested changes are input to a Web based application tracker. Manager meetings are held bi weekly to review, update, and prioritize issues. Any planned system downtime is communicated to users via notifications. Changes are initially iti applied in the test tenvironment where they are validated d by both thit and the requestor. Test documentation is produced and stored with the Change Request Form. Approvals for change migrations to production are ed to the assigned Developer by the requestor after successful testing is performed by the requestor and another assign analyst. Weekly team meetings are held in which it is determined which changes will be moved into production for that week. Standard, non code migration changes are moved into production daily. The application owner Initials all Change Request Forms before migration. The ticket owner (analyst) is ultimately responsible for making the change and moving it into production by compiling / rebuilding the change in the production environment. CM.1 CM.2 CM.3 CM.4 23
24 Tests of Controls Example Test Objective and Scope Test Population Source of Data Sample Selection Process Cont. To verify that changes are authorized, tested and approved by the business priorto implementation to production. Extracted data from Random / Haphazard Control Effective Date January 1, 2008 Conclusion Effective Control ID Control Description Frequency Type CM.1 Prior to development, all changes must be Event Driven Preventative authorized by IT and business management. CM.2 Changes are applied in the test environment where they are validated by both IT and the requestor. Event Driven Preventative CM.1 Approvals for change migrations to production are Event Driven Preventative ti ed to the assigned Developer by the requestor after successful testing is performed by the requestor and another assign analyst. CM.4 The application owner Initials all Change Request Event Driven Preventative Forms before migration. 24
25 Tests of Controls Example Test Matrix Item ID Item Description Evidence Ref Control ID 1 Code change 1 CM T 01 CM.1 CM.2 CM.3 CM.4 2 Code change 2 CM T 02 3 Code change 3 CM T 03 X 25
26 Evaluating Control Deficiencies
27 Tests of Controls: Evaluate When we have an exception, we must: Consider the results of the tests in relation to our preliminary evaluation of thecontrols to determine whether it is still appropriate. In some instances, the assessment is no longer appropriate. p Reconsider our combined risk assessment and our audit approach. 27
28 Tests of Controls: Documentation Should include: A detailed description of the specific controls tested The procedures used to test the controls The number of times each control will be tested The method used to select ect the items tested A list of the items tested A list of any exceptions, their causes, and implications Any changes to our strategy resulting from our tests We carry this forward in years that we rotate our tests t (NA under Integrated t daudit). 28
29 Components of a Finding Observation Standard/Leading Practice Cause Business Risk/Effect Recommendation 29
30 Summary Identify ITGCs in the IT environment Document and walkthrough controls Perform Tests of Controls Describe how we evaluate the results of our tests to arrive at a conclusion Document test procedures and deficiencies 30
31 Questions?
32 THANK YOU!!!
33 Appendix - Common IT Definitions
34 Elements in the IT Infrastructure Network Elements LAN/WAN Router Switch Firewall Modem Remote Access Server Intrusion Detection Devices (IDS) 34
35 Common IT Terms Operating System An operating system (OS) is the program that, controls the hardware and acts as the intermediary between the application(s) and the hardware. Common OS are Windows(2000, XP, NT), UNIX, Novell and OS400 Hardware Hardware is the physical aspect of computers, tl telecommunications, ti and other information technology devices. Application An application is any program designed to perform a specific function directly for the user or, in some cases, for another application program. 35
36 Common IT Terms (cont.) Local larea Nt Network A local larea network k(lan) is a group of computers and associated devices that share a common communications line or wireless link and typically share the resources of a single processor or server within a small geographic area. Wide Area Network A wide area network (WAN) is a geographically dispersed telecommunications network. The term distinguishes a broader telecommunication structure from a LAN. 36
37 Common IT Terms (cont.) Virtual Private Network A virtual private network (VPN) is a way to use a public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with secure encrypted access to their organization's network. Server A server is a computer program that contains programs that t provides services to other computer programs in the same or other computers. (e.g. file server, print server, application server, etc.) 37
38 Common IT Terms (cont.) Remote Access Remote access is the ability to get access to a computer or a network from a remote location. Direct Dial up Dial up pertains to a telephone connection. A dial up connection is established and maintained for a limited time duration. Gateway Server A gateway is a network point that acts as an entrance to another network. 38
39 Common IT Terms (cont.) Application i Server An application server is a server program in a computer in a distributed network that provides the business logic for an application program. Infrastructure In information technology and on the Internet, infrastructure is the physical hardware used to interconnect tcomputers and users. Firewall A firewall is a physical device or set of related programs, located at a network gateway server, that protects the resources of a private network from users from other networks. 39
40 Common IT Terms (cont.) ERP ERP (Enterprise resource planning) is an industry term for the broad set of activities supported by multi module application software that helps a manufacturer or other business manage the important parts of its business. (e.g. SAP, PeopleSoft, etc.) Database A database is a collection of data that is organized so that its contents can easily be accessed, managed, andupdated. 40
41 Common IT Terms (cont.) Backup The act of storing data from one system to another system or to a form of electronic media (i.e. tape, CD). Backups are generally yperformed on a regular basis and can be full, incremental, or differential. Recovery The act of applying stored data to a system in order to allow it to resume normal operations. UPS Uninterruptible Power Supply. A battery device that allows the systems on a network to continue operating for a limited time after a power failure. This permits an orderly shutdown of the servers and limits the risk of data loss. 41
42 Common IT Terms (cont.) Business Continuity i Plan A business level lplan that describes how and where the business will prioritize its recovery from an unforeseen event and how it will restore and continue its operations. Disaster Recovery Plan An IT level plan that describes how and where the IT department twill prioritize iti the system and network recovery from an unforeseen event and how the department will restore and continue its operations (a Disaster Recovery Plan is part of an overall Business Continuity Plan and the two must be in sync). 42
43 Logical Access Path (LAP) How individuals get beyond logical security to the desired data Designed for the structured assessmentof risks and related security measures in complex computer systems User Data 43
44 Logical Access Path Overview User Transports data between the components of a network (e.g., end users terminals) and system software in the transaction software layer Controls within applications aimed at the security of logical data A shell that surrounds all system software layers. Each piece of software on each of the layers has an interface with the operating system Data Communication Software Operating System Transaction Software Application Software Data Access Methods Data Divides the available processing time among the active users and programs. Transactions (e.g., a menu option) can be composed of multiple programs Access methods and database management controls that manage which parts of the data the application can access and in what way 44
45 Logical Access Path (Three Tier) User Output t Data to User User Interface Input Data From User Output t Data to User Data Communication Software Transaction Software Central DB Buffer Central DB Buffer Application Software Application Server Data Access Methods Reading Database and Updating Buffer Main DB Database Server Stores all Data and Application Programs Operating System Data 45
46 Where To Find IT Terms & Acronyms There are multiple web sites on the Internet that can be used to explain IT terms & acronyms. Some good ones are: Your TSRS co workers are also a great source for understanding terminology 46
IT General Controls and Why We Need Them -Dennis McLaughlin, CISA (Cyber AIT) Dennis McLaughlin - Cyber AIT 1
IT General Controls and Why We Need Them -Dennis McLaughlin, CISA (Cyber AIT) 1 Agenda Background ICOFR need for IT General Controls IT General Control Areas Financial Process Example Project Governance
More informationThe Common Controls Framework BY ADOBE
The Controls Framework BY ADOBE The following table contains the baseline security subset of control activities (derived from the Controls Framework by Adobe) that apply to Adobe s enterprise offerings.
More informationNo IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP
No IT Audit Staff? How to Hack an IT Audit Presenters Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP Learning Objectives After this session, participants will be able to: Devise
More information"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary
Course Summary Description In this course, you will perform evaluations of organizational policies, procedures, and processes to ensure that an organization's information systems align with overall business
More informationAuditing IT General Controls
Auditing IT General Controls Amanthi Pendegraft and Nadine Yassine September 27, 2017 Agenda Introduction and Objectives IT Audit Fundamentals IT General Controls Overview Access to Programs and Data Program
More informationIntroduction to Automated Controls
Introduction to Automated Controls Matthew Hatch, Oliver Petri Agenda Defining Automated Controls The Value of Automated Controls Common Testing Approaches The Concept of 'Benchmarking Questions / Comments
More informationTECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES
TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES Contents Introduction... 3 The Technical and Organizational Data Security Measures... 3 Access Control of Processing Areas (Physical)... 3 Access Control
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.7)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.7) Directions and Instructions for completing this assessment The answers provided
More informationANZSCO Descriptions The following list contains example descriptions of ICT units and employment duties for each nominated occupation ANZSCO code. And
ANZSCO Descriptions The following list contains example descriptions of ICT units and employment duties for each nominated occupation ANZSCO code. Content 261311 - Analyst Programmer... 2 135111 - Chief
More informationCertified Information Systems Auditor (CISA)
Certified Information Systems Auditor (CISA) 1. Domain 1 The Process of Auditing Information Systems Provide audit services in accordance with IT audit standards to assist the organization in protecting
More informationI. PURPOSE III. PROCEDURE
A.R. Number: 2.11 Effective Date: 2/1/2009 Page: 1 of 5 I. PURPOSE This policy outlines the procedures that third party organizations must follow when connecting to the City of Richmond (COR) networks
More informationIntroduction to Automated Controls. Jay Swaminathan Senior Manager, SOAProjects. San Francisco Chapter
Introduction to Automated Controls Jay Swaminathan Senior Manager, SOAProjects Agenda Defining Automated Controls The Value of Automated Controls Common Testing Approaches ITGC considerations The Concept
More informationAUTHORITY FOR ELECTRICITY REGULATION
SULTANATE OF OMAN AUTHORITY FOR ELECTRICITY REGULATION SCADA AND DCS CYBER SECURITY STANDARD FIRST EDITION AUGUST 2015 i Contents 1. Introduction... 1 2. Definitions... 1 3. Baseline Mandatory Requirements...
More informationTECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES
TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES Contents Introduction... 3 The Technical and Organizational Data Security Measures... 3 Access Control of Processing Areas (Physical)... 3 Access Control
More informationRecommendations for Implementing an Information Security Framework for Life Science Organizations
Recommendations for Implementing an Information Security Framework for Life Science Organizations Introduction Doug Shaw CISA, CRISC Director of CSV & IT Compliance Azzur Consulting Agenda Why is information
More informationTrust Services Principles and Criteria
Trust Services Principles and Criteria Security Principle and Criteria The security principle refers to the protection of the system from unauthorized access, both logical and physical. Limiting access
More informationInformation Technology General Control Review
Information Technology General Control Review David L. Shissler, Senior IT Auditor, CPA, CISA, CISSP Office of Internal Audit and Risk Assessment September 15, 2016 Background Presenter Senior IT Auditor
More informationDISASTER RECOVERY PRIMER
DISASTER RECOVERY PRIMER 1 Site Faliure Occurs Power Faliure / Virus Outbreak / ISP / Ransomware / Multiple Servers Sample Disaster Recovery Process Site Faliure Data Centre 1: Primary Data Centre Data
More informationIT CONTINUITY, BACKUP AND RECOVERY POLICY
IT CONTINUITY, BACKUP AND RECOVERY POLICY IT CONTINUITY, BACKUP AND RECOVERY POLICY Effective Date May 20, 2016 Cross- Reference 1. Emergency Response and Policy Holder Director, Information Business Resumption
More informationCloud Operations for Oracle Cloud Machine ORACLE WHITE PAPER MARCH 2017
Cloud Operations for Oracle Cloud Machine ORACLE WHITE PAPER MARCH 2017 Disclaimer The following is intended to outline our general product direction. It is intended for information purposes only, and
More informationNEN The Education Network
NEN The Education Network School e-security Checklist This checklist sets out 20 e-security controls that, if implemented effectively, will help to ensure that school networks are kept secure and protected
More informationInformation Technology Risks & Controls for Financial Systems PEM-PAL Treasury CoP Workshop 2011 Kristin Lado Tufan
Information Technology Risks & Controls for Financial Systems PEM-PAL Treasury CoP Workshop 2011 Kristin Lado Tufan 1 Introduction IT Risk and Compliance Officer in Information Management and Technology
More informationTable of Contents. Page 1 of 6 (Last updated 27 April 2017)
Table of Contents What is Connect?... 2 Physical Access Controls... 2 User Access Controls... 3 Systems Architecture... 4 Application Development... 5 Business Continuity Management... 5 Other Operational
More informationTAN Jenny Partner PwC Singapore
1 Topic: Cybersecurity Risks An Essential Audit Consideration TAN Jenny Partner PwC Singapore PwC Singapore is honoured to be invited to contribute to the development of this guideline. Cybersecurity Risks
More informationQuickBooks Online Security White Paper July 2017
QuickBooks Online Security White Paper July 2017 Page 1 of 6 Introduction At Intuit QuickBooks Online (QBO), we consider the security of your information as well as your customers and employees data a
More informationXceedium Xio Framework: Securing Remote Out-of-band Access
Xceedium Xio Framework: Securing Remote Out-of-band Access 1 Common Scenario A major corporation, with many domestic and international offices, has a massive network infrastructure that spans across many
More informationChapter 8: IT Service Management. Topics covered: 1.1 Roles of helpdesk support staff. 1.2 Different types of helpdesk support level
1 Chapter 8: IT Service Management Topics covered: 1.1 Roles of helpdesk support staff 1.2 Different types of helpdesk support level 1.3 Role of Internet Service Provider (ISP) 1.4 Change request process
More informationIntroduction to Business continuity Planning
Week - 06 Introduction to Business continuity Planning 1 Introduction The purpose of this lecture is to give an overview of what is Business Continuity Planning and provide some guidance and resources
More informationConRes IaaS Management Services for Microsoft Azure
ConRes IaaS Management Services for Microsoft Azure Table of Contents 1. 2. 3. 4. 5. 6. 7. Introduction... 3 Pre-requisites... 3 Onboarding Infrastructure to ConRes IaaS Management Services for Azure...
More informationNetwork Performance, Security and Reliability Assessment
Network Performance, Security and Reliability Assessment Presented to: CLIENT NAME OMITTED Drafted by: Verteks Consulting, Inc. 2102 SW 20 th Place, Suite 602 Ocala, Fl 34474 352-401-0909 ASSESSMENT SCORECARD
More informationA CommVault White Paper: Business Continuity: Architecture Design Guide
A CommVault White Paper: Business Continuity: Architecture Design Guide CommVault Corporate Headquarters 2 Crescent Place Oceanport, New Jersey 07757-0900 USA Telephone: 888.746.3849 or 732.870.4000 2007
More informationCoreMax Consulting s Cyber Security Roadmap
CoreMax Consulting s Cyber Security Roadmap What is a Cyber Security Roadmap? The CoreMax consulting cyber security unit has created a simple process to access the unique needs of each client and allows
More information<Document Title> INFORMATION SECURITY POLICY
INFORMATION SECURITY POLICY 2018 DOCUMENT HISTORY DATE STATUS VERSION REASON NAME 24.03.2014 Draft 0.1 First draft Pedro Evaristo 25.03.2014 Draft 0.2 Refinement Pedro Evaristo 26.03.2014
More informationPosition Description IT Auditor
Position Title IT Auditor Position Number Portfolio Performance and IT Audit Location Victoria Supervisor s Title IT Audit Director Travel Required Yes FOR OAG HR USE ONLY: Approved Classification or Leadership
More informationFOLLOW-UP REVIEW OF RISK MANAGEMENT ETC RISK MANAGEMENT FRAMEWORK
2017 FOLLOW-UP REVIEW OF RISK MANAGEMENT ETC RISK MANAGEMENT FRAMEWORK MA. LUISA JASA-LOQUE IMAAN HIGHER COLLEGE OF TECHNOLOGY Educational Technology Center DISTRIBUTION LIST ETC QA CORDINATOR Report Distribution
More informationCCISO Blueprint v1. EC-Council
CCISO Blueprint v1 EC-Council Categories Topics Covered Weightage 1. Governance (Policy, Legal, & Compliance) & Risk Management 1.1 Define, implement, manage and maintain an information security governance
More informationIT Audit Auditing IT General Controls
IT Audit Auditing IT General Controls Agenda Introduction IT Audit IT General Controls Overview Access to Programs and Data Program Change & Development Computer Operations Lessons Learned from Regulatory
More informationCyber security tips and self-assessment for business
Cyber security tips and self-assessment for business Last year one in five New Zealand SMEs experienced a cyber-attack, so it s essential to be prepared. Our friends at Deloitte have put together this
More informationT Yritysturvallisuuden seminaari
T-110.5690 Yritysturvallisuuden seminaari Chapter 10: Conceptual Security Architecture Lauri Helkkula 22.10.2007 Sources Chapter 10 of the book Sherwood, Clark, Lynas: Enterprise Security Architecture,
More informationMaher Duessel Not for Profit Training July Agenda
Maher Duessel Not for Profit Training July 2018 Agenda Review of ITGCs Review of IT Checklist Other Security Issues Questions 2 1 Review of General Computer Controls 3 ITGC What is that? Information Technology
More informationHISPOL The United States House of Representatives Internet/ Intranet Security Policy. CATEGORY: Telecommunications Security
HISPOL 003.0 The United States House of Representatives Internet/ Intranet Security Policy CATEGORY: Telecommunications Security ISSUE DATE: February 4, 1998 REVISION DATE: August 23, 2000 The United States
More informationAnnex 3 to NIST Special Publication Recommended Security Controls for Federal Information Systems
Annex 3 to NIST Special Publication 800-53 Recommended Security Controls for Federal Information Systems Minimum Security Controls High Baseline Includes updates through 04-22-2005 AC-1 ACCESS CONTROL
More informationSparta Systems TrackWise Digital Solution
Systems TrackWise Digital Solution 21 CFR Part 11 and Annex 11 Assessment February 2018 Systems TrackWise Digital Solution Introduction The purpose of this document is to outline the roles and responsibilities
More informationVMware vcloud Air SOC 1 Control Matrix
VMware vcloud Air SOC 1 Control Objectives/Activities Matrix VMware vcloud Air goes to great lengths to ensure the security and availability of vcloud Air services. In this effort, we have undergone a
More informationCampus Network Design. 2003, Cisco Systems, Inc. All rights reserved. 2-1
Campus Network Design 2003, Cisco Systems, Inc. All rights reserved. 2-1 Design Objective Business Requirement Why do you want to build a network? Too often people build networks based on technological,
More informationISSP Network Security Plan
ISSP-000 - Network Security Plan 1 CONTENTS 2 INTRODUCTION (Purpose and Intent)... 1 3 SCOPE... 2 4 STANDARD PROVISIONS... 2 5 STATEMENT OF PROCEDURES... 3 5.1 Network Control... 3 5.2 DHCP Services...
More informationPECB Change Log Form
GENERAL INFORMATION Owner / Department* Approver / Department * Training Development Department Quality Assurance Department Date of Approval* 2019-01-09 Course name: Language: New Version: Previous Version:
More informationDATA BACKUP AND RECOVERY POLICY
DATA BACKUP AND RECOVERY POLICY 4ITP04 Revision 01 TABLE OF CONTENTS 1. REVISION RECORD... 3 2. PURPOSE... 4 3. SCOPE AND APPLICABILITY... 4 4. DEFINITIONS AND ABBREVIATIONS... 4 5. POLICY STATEMENTS...
More informationCampus Network Design
Modular Network Design Campus Network Design Modules are analogous to building blocks of different shapes and sizes; when creating a building, each block has different functions Designing one of these
More informationNetworks - Technical specifications of the current networks features used vs. those available in new networks.
APPENDIX V TECHNICAL EVALUATION GUIDELINES Where applicable, the following guidelines will be applied in evaluating the system proposed by a service provider: TABLE 1: HIGH LEVEL COMPONENTS Description
More informationCybersecurity Checklist Business Action Items
Cybersecurity Checklist Business Action Items This section provides a thorough (although not all-inclusive or exhaustive) checklist of action items within the three categories for Incident Management (Planning,
More informationIT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I
Standards Sections Checklist Section Security Management Process 164.308(a)(1) Information Security Program Risk Analysis (R) Assigned Security Responsibility 164.308(a)(2) Information Security Program
More informationWHITE PAPER- Managed Services Security Practices
WHITE PAPER- Managed Services Security Practices The information security practices outlined below provide standards expected of each staff member, consultant, or customer staff member granted access to
More informationNetwork Security Policy
Network Security Policy Date: January 2016 Policy Title Network Security Policy Policy Number: POL 030 Version 3.0 Policy Sponsor Policy Owner Committee Director of Business Support Head of ICU / ICT Business
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationINFORMATION TECHNOLOGY NETWORK ENGINEER I (7961) INFORMATION TECHNOLOGY NETWORK ENGINEER II (7962)
Class Code: 7961 & 7962 Revised: 02-04-14 Established: 04-01-11 INFORMATION TECHNOLOGY NETWORK ENGINEER I (7961) INFORMATION TECHNOLOGY NETWORK ENGINEER II (7962) DEFINITION Performs professional duties
More informationCYBERSECURITY RISK ASSESSMENT
CYBERSECURITY RISK ASSESSMENT ACME Technologies, LLC Page 1 of 46 TABLE OF CONTENTS EXECUTIVE SUMMARY 3 ASSESSMENT SCOPE & CONTEXT 4 RISK ASSESSMENT SCOPE 4 RISK MANAGEMENT OVERVIEW 4 ENTERPRISE RISK MANAGEMENT
More information7.16 INFORMATION TECHNOLOGY SECURITY
7.16 INFORMATION TECHNOLOGY SECURITY The superintendent shall be responsible for ensuring the district has the necessary components in place to meet the district s needs and the state s requirements for
More informationSERVICE DESCRIPTION MANAGED BACKUP & RECOVERY
Contents Service Overview.... 3 Key Features... 3 Implementation... 4 Validation... 4 Implementation Process.... 4 Internal Kick-Off... 4 Customer Kick-Off... 5 Provisioning & Testing.... 5 Billing....
More informationL2F Case Study Overview
L2F Case Study Overview Introduction This case study describes how one Internet service provider (ISP) plans, designs, and implements an access virtual private network (VPN) by using Layer 2 Forwarding
More informationINFORMATION TECHNOLOGY NETWORK ADMINISTRATOR ANALYST Series Specification Information Technology Network Administrator Analyst II
Adopted: July 2000 Revised : April 2004; August 2009; June 2014; February 2018 INFORMATION TECHNOLOGY NETWORK ADMINISTRATOR ANALYST Series Specification Information Technology Network Administrator Analyst
More informationOracle Data Cloud ( ODC ) Inbound Security Policies
Oracle Data Cloud ( ODC ) Inbound Security Policies Contents Contents... 1 Overview... 2 Oracle Data Cloud Security Policy... 2 Oracle Information Security Practices - General... 2 Security Standards...
More informationENDNOTE SECURITY OVERVIEW INCLUDING ENDNOTE DESKTOP AND ONLINE
ENDNOTE SECURITY OVERVIEW INCLUDING ENDNOTE DESKTOP AND ONLINE INTRODUCTION In line with commercial industry standards, the data center used by EndNote employs a dedicated security team to protect our
More informationSecure Access & SWIFT Customer Security Controls Framework
Secure Access & SWIFT Customer Security Controls Framework SWIFT Financial Messaging Services SWIFT is the world s leading provider of secure financial messaging services. Their services are used and trusted
More informationUniversity Information Technology Data Backup and Recovery Policy
University Information Technology Data Backup and Recovery Policy I. Purpose and Scope A. The purpose of this policy is to document the University of Utah Information Technology (UIT) data backup and recovery
More informationEXTERNAL CONFIRMATIONS SRI LANKA AUDITING STANDARD 505 EXTERNAL CONFIRMATIONS
SRI LANKA STANDARD 505 EXTERNAL CONFIRMATIONS (Effective for audits of financial statements for periods beginning on or after 01 January 2014) CONTENTS Paragraph Introduction Scope of this SLAuS... 1 External
More informationNW NATURAL CYBER SECURITY 2016.JUNE.16
NW NATURAL CYBER SECURITY 2016.JUNE.16 ADOPTED CYBER SECURITY FRAMEWORKS CYBER SECURITY TESTING SCADA TRANSPORT SECURITY AID AGREEMENTS CONCLUSION QUESTIONS ADOPTED CYBER SECURITY FRAMEWORKS THE FOLLOWING
More informationPeopleSoft Finance Access and Security Audit
PeopleSoft Finance Access and Security Audit City of Minneapolis Internal Audit Department September 20, 2016 1 Contents Page Background... 3 Objective, Scope and Approach... 3 Audit Results and Recommendations...
More informationSolution Pack. Managed Services Virtual Private Cloud Managed Database Service Selections and Prerequisites
Solution Pack Managed Services Virtual Private Cloud Managed Database Service Selections and Prerequisites Subject Governing Agreement Term DXC Services Requirements Agreement between DXC and Customer
More informationCIO Guide: Disaster recovery solutions that work. Making it happen with Azure in the public cloud
CIO Guide: Disaster recovery solutions that work Making it happen with Azure in the public cloud Consult Build Transform Support When you re considering a shift to Disaster Recovery as a service (DRaaS),
More informationCriminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud
Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud Introduction The Criminal Justice Information Security (CJIS) Policy is a publically accessible document that contains
More informationSHARED SERVICES - INFORMATION TECHNOLOGY
Updated: February, 00 EB-00-0 Exhibit D Page of SHARED SERVICES - INFORMATION TECHNOLOGY.0 INTRODUCTION 0 Information Technology ( IT ) refers to computer systems (hardware, software and applications)
More informationSolution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites
Solution Pack Managed Services Virtual Private Cloud Security Features Selections and Prerequisites Subject Governing Agreement DXC Services Requirements Agreement between DXC and Customer including DXC
More informationitexamdump 최고이자최신인 IT 인증시험덤프 일년무료업데이트서비스제공
itexamdump 최고이자최신인 IT 인증시험덤프 http://www.itexamdump.com 일년무료업데이트서비스제공 Exam : CISA Title : Certified Information Systems Auditor Vendor : ISACA Version : DEMO Get Latest & Valid CISA Exam's Question and
More informationUniversity of Hawaii Hosted Website Service
University of Hawaii Hosted Website Service Table of Contents Website Practices Guide About These Practices 3 Overview 3 Intended Audience 3 Website Lifecycle 3 Phase 3 Begins 3 Ends 3 Description 3 Request
More informationINTERNATIONAL STANDARD ON AUDITING 505 EXTERNAL CONFIRMATIONS CONTENTS
INTERNATIONAL STANDARD ON AUDITING 505 EXTERNAL CONFIRMATIONS (Effective for audits of financial statements for periods beginning on or after December 15, 2009) CONTENTS Paragraph Introduction Scope of
More informationInformation Security in Corporation
Information Security in Corporation System Vulnerability and Abuse Software Vulnerability Commercial software contains flaws that create security vulnerabilities. Hidden bugs (program code defects) Zero
More informationUniversity Information Systems. Administrative Computing Services. Contingency Plan. Overview
University Information Systems Administrative Computing Services Contingency Plan Overview Last updated 01/11/2005 University Information Systems Administrative Computing Services Contingency Plan Overview
More informationInformation backup - diagnostic review Abertawe Bro Morgannwg University Health Board. Issued: September 2013 Document reference: 495A2013
Information backup - diagnostic review Abertawe Bro Morgannwg University Health Board Issued: September 2013 Document reference: 495A2013 Status of report This document has been prepared for the internal
More informationIntegrigy Consulting Overview
Integrigy Consulting Overview Database and Application Security Assessment, Compliance, and Design Services March 2016 mission critical applications mission critical security About Integrigy ERP Applications
More informationINFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare
INFORMATION SECURITY A briefing on the information security controls at Computershare One line heading > One line subheading INTRODUCTION Information is critical to all of our clients and is therefore
More informationJOB TITLE: Senior Database Administrator PRIMARY JOB DUTIES Application Database Development
JOB TITLE: Senior Database Administrator The Senior Database Administrator is responsible for managing multiple production and nonproduction Oracle, MSSQL, and PostgreSQL databases: 4 production Oracle
More informationSecurity Correlation Server System Deployment and Planning Guide
CorreLog Security Correlation Server System Deployment and Planning Guide The CorreLog Server provides a method of collecting security information contained in log messages generated by network devices
More informationThe University of Texas at El Paso. Information Security Office Minimum Security Standards for Systems
The University of Texas at El Paso Information Security Office Minimum Security Standards for Systems 1 Table of Contents 1. Purpose... 3 2. Scope... 3 3. Audience... 3 4. Minimum Standards... 3 5. Security
More informationPage 1 of 5. Rental Network Software Corp., Rental Management Software v9.0 (R90) Release Notes. Topics Covered:
Rental Network Software Corp., Rental Management Software v9.0 (R90) Release Notes Topics Covered: 1. Supported Configurations 2. Terminal Server 3. MDAC 2.7 Compatibility 4. Installing the application
More informationSan Francisco Chapter. What an auditor needs to know
What an auditor needs to know Course Objectives Understand what a data center looks and feels like Know what to look for in a data center and what questions to ask Deepening understanding of controls that
More informationWHITE PAPER Cloud FastPath: A Highly Secure Data Transfer Solution
WHITE PAPER Cloud FastPath: A Highly Secure Data Transfer Solution Tervela helps companies move large volumes of sensitive data safely and securely over network distances great and small. We have been
More informationC22: SAS 70 Practices and Developments Todd Bishop, PricewaterhouseCoopers
C22: SAS 70 Practices and Developments Todd Bishop, PricewaterhouseCoopers SAS No. 70 Practices & Developments Todd Bishop Director, Risk Assurance Services, PricewaterhouseCoopers Agenda SAS 70 Background
More informationInformation Technology Procedure IT 3.4 IT Configuration Management
Information Technology Procedure IT Configuration Management Contents Purpose and Scope... 1 Responsibilities... 1 Procedure... 1 Identify and Record Configuration... 2 Document Planned Changes... 3 Evaluating
More informationEXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
EXCERPT NIST Special Publication 800-171 R1 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations An Excerpt Listing All: Security Requirement Families & Controls Security
More informationEpicor ERP Cloud Services Specification Multi-Tenant and Dedicated Tenant Cloud Services (Updated July 31, 2017)
Epicor ERP Cloud Services Specification Multi-Tenant and Dedicated Tenant Cloud Services (Updated July 31, 2017) GENERAL TERMS & INFORMATION A. GENERAL TERMS & DEFINITIONS 1. This Services Specification
More informationHIPAA Technical Safeguards and (a)(7)(ii) Administrative Safeguards
HIPAA Compliance HIPAA and 164.308(a)(7)(ii) Administrative Safeguards FileGenius is compliant with all of the below. First, our data center locations (DataPipe) are fully HIPAA compliant, in the context
More informationLOGGING AND AUDIT TRAILS
LOGGING AND AUDIT TRAILS Policy LOGGING AND AUDIT TRAILS - POLICY TMP-POL-LAT V3.00-EN, 26/06/2009 TABLE OF CONTENTS 1 INTRODUCTION... 3 1.1 Document Purpose... 3 1.2 Target Audience...3 1.3 Business Context...4
More informationSOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT
RSA ARCHER IT & SECURITY RISK MANAGEMENT INTRODUCTION Organizations battle growing security challenges by building layer upon layer of defenses: firewalls, antivirus, intrusion prevention systems, intrusion
More informationAdministration and Data Retention. Best Practices for Systems Management
Administration and Data Retention Best Practices for Systems Management Agenda Understanding the Context for IT Management Concepts for Managing Key IT Objectives Aptify and IT Management Best Practices
More informationChapter 8: SDLC Reviews and Audit Learning objectives Introduction Role of IS Auditor in SDLC
Chapter 8: SDLC Reviews and Audit... 2 8.1 Learning objectives... 2 8.1 Introduction... 2 8.2 Role of IS Auditor in SDLC... 2 8.2.1 IS Auditor as Team member... 2 8.2.2 Mid-project reviews... 3 8.2.3 Post
More informationTop 10 ICS Cybersecurity Problems Observed in Critical Infrastructure
SESSION ID: SBX1-R07 Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure Bryan Hatton Cyber Security Researcher Idaho National Laboratory In support of DHS ICS-CERT @phaktor 16 Critical
More informationSystem Security Administration
UNCLASSIFIED System Security Administration Duties of the Security System Administrator (SSA) The SSA must be extremely knowledgeable about the configuration of the system, the inherent security weaknesses
More informationData Center Operations Guide
Data Center Operations Guide SM When you utilize Dude Solutions Software as a Service (SaaS) applications, your data is hosted in an independently audited data center certified to meet the highest standards
More informationApplication of Cryptographic Systems. Securing Networks. Chapter 3 Part 4 of 4 CA M S Mehta, FCA
Application of Cryptographic Systems Securing Networks Chapter 3 Part 4 of 4 CA M S Mehta, FCA 1 Application of Cryptographic Systems Learning Objectives Task Statements 1.3 Recognise function of Telecommunications
More information