Академический Документы
Профессиональный Документы
Культура Документы
IT6-A
M36
PROF. GONZAGA
A quality assurance function should exist to ensurethe quality of service provided to clients.
Output information to other application systems should be complete and accurate.
The data center and client fuctions should be structured to maintain adequate segregation of duties.
Appropriate administrative policies and procedures should be documented.
Data transmissions between the service organization and clients should be complete, accurate, and secure.
Internal audit should provide a review and verification of electronic data processing operations.
Data transmissions between the service organizations data centers should be complete, accurate, and
secure.
New programs being developed and changes to existing programs should be authorized, tested, approved,
properly implemented, and documented.
Changes to existing software should be authorized, tested, approved, and implemented properly.
Logical access to production programs and data in the mainframe environment should be granted only to
appropriately authorized individuals.
Physical access to computer equipment and storage media should be limited to properly authorized
individuals.
Input should be completetly and accurately received from authorized sources.
Interchange transactions should be completely and accurately processed in accordance with client and
association specification.
Access to blank cards should be limited to authorized personnel, and inventory should be accounted for
properly.
Credit card application information should be recorded completely, accurately, and in compliance with client
specifications.
Output information should be complete, accurate, and distributed in accordance with client specification.
The data center should be organized to provide adequate segregation of duties and functions.
Output to other application systems at the service organization should be complete and accurate.
CONTROL
CATEGORIES
Physical
Security
Control
CONTROL
POLICIES &
TECHNIQUES
All physical
security systems
must comply with
applicable all
applicable
WEAK CONTROLS OR
DEFICIENCIES
1. The quality assurance
department does not
review output from each
plastic card production run
for either embossing or
RECOMMENDATIONS
A quality assurance
function should exist to
ensurethe quality of
service provided to
clients.
Processing
Control
Logical
Security
Control
Limiting programs
or utilities
available to only
those needed by
the position.
System
Development
and
Maintenance
Control
Maintaining of
audit trails (logs)
IT6-A
M36
PROF. GONZAGA
encoding accuracy.
Without quality assurance
or other review, incorrectly
embossed or encoded
credit cards could be
distributed to user
institution customers. A
possible ramification of an
encoding error is that the
daily withdrawal limit
located on track 3 of the
cards magnetic strip could
be greater than the amount
intended.
2. Programmer manuals
describing file layouts,
record layouts, subroutine
calls, and other pertinent
information are not
consistently prepared.
After initial development,
program modifications or
enhancements are more
difficult and prone to eerror
without detailed program
documentation.
3. Although the service
organization has a policy
that authorizes only
appropriate individuals to
make program or other
modification, only
rudimentary password
protection exists to ensure
that the policy is followed.
System security
application software, such
as RACF or ACF, is not
installed to help prevent
unauthorized modifications
to application software,
data files, or system
software.
4. The internal audit
schedule is not adhered to
and the areas actually
audited are subjectively
determined. Audit reports
are not always issued on a
timely basis, management
responses are not
documented, and followup
audits to determine the
implementation status of
recommendations are not
performed. The internal
audit department does not
consistently review system
design, development, and
maintenance controls for
Output information to
other application
systems should be
complete and
accurate.
Data transmissions
between the service
organization and
clients should be
complete, accurate,
and secure.
System
Development
Control
Close
management of
any changes,
additions and
deletions to data
held in a
database made
by any other
means than the
appropriate
business
application; e.g.
the use of enduser tools to
directly modify
databases must
be limited to
authorized
support and
administrative
personnel.
Processing
Control
Logical
Security
Control
Ensure that
software patches
and updates are
applied in a timely
fashion.
IT6-A
M36
PROF. GONZAGA
program changes.
Information systems audit
personnel do not routinely
attend meetings in which
system enhancements and
major rewrites of the
systems affecting all user
institutions are determined.
5. The service organization
does not have a
consistently applied
systems development
methodology in place.
Client organization sign-off
on systems prior to
implementation is not
solicited by the service
organization. Program
documentation is not
consistently prepared.
Program modification are
often placed into
production without
supervisory review or user
approval.
6. Programmer manuals
describing file layouts,
record layouts, subroutine
calls, and other pertinent
information are not
consistently prepared.
After initial development,
program modications or
enhancements are more
difficult and prone to error
without detailed program
documentation.
7. Programmers are able
to write and authorize their
own program changes to
be placed into production
without consistent review
or approval. Once a
program is assigned to a
programmer for
modification, the
completion of testing is
generally at the
programmers discretion.
System validation tests are
not routinely performed to
ensure that no source
code was accidentally
deleted or otherwise
improperly modified.
Data transmissions
between the service
organizations data
centers should be
complete, accurate,
and secure.
Contingency &
Recovery Plan
Control
Develop and
maintain corporate
security
operational
policies,
processes,
procedures and
tools for
components of the
Security Strategy
Performing a risk
assessment
IT6-A
M36
8. The service
organization does not
have a designated person
who has responsibility for
administering security. No
formalized, documented
security procedures exist
for the assignment of key
cards allowing access to
critical operational areas,
access to application
systems by service
organization employees
through the inhouse
security system, or
control of programmer
access through the ACF2
access control software.
Security violation reports
are not routinely
reviewed, passwords are
not routinely changed,
terminated and
transferred employee
passwords and key cards
are not always removed
or modified on the
appropriate systems on a
tmely basis, and an
excessive number of
individuals are capable of
performing password
maintenance. Groups of
programmers share the
same user Ids and
passwords for timesharing functions, thus
decreasing the personal
accountability for the use
of the system. The
service organization has
recently implemented an
access control facility
program to control access
to programs and data in
the batch and timesharing environments.
However, the access
control facility was not
installed on the test
computer, which was
connected to the
production computer and
all disk files.
9. System and production
tapes, which would be
required in the event of a
recovery of data
processing service, are
not always maintained in
PROF. GONZAGA
IT6-A
M36
PROF. GONZAGA
Resticting Access
to Production
Programs
Logical
Security
Control
Increasing
controls on key
system
directories.
System
Maintenance
Control
Internal
procedures for
information
resource
maintenance must
include
requirements for
approval of area
head for any
information
resource removal
for
maintenance/repai
r activities
Input Control
The re-key
must use original
source
documents and
Logical access to
production programs
and data in the
mainframe
environment should be
granted only to
appropriately
authorized individuals.
Input should be
completetly and
accurately received
from authorized
Physical access to
computer equipment
and storage media
should be limited to
properly authorized
individuals.
Operating
Control
IT6-A
M36
authorized programs,
some of which were old
and undocumented. During
our review, all 25 of these
programs were either
deleted or moved to a
more appropriate library.
sources.
Interchange
transactions should be
completely and
accurately processed
in accordance with
client and association
specification.
It is up to the
installation to
determine what
security is
required for the
system.
Logical
Security
Controls
Physical
Security
Control
PROF. GONZAGA
Passwords shall
be changed on a
regular basis (at
least once every
60 days).
Physical access to
all
Information
Resources
restricted facilities
must
be
documented and
System
Development
Control
System
Development
Control
Processes for
appropriate action
if validation errors
occur.
Computer
Center Security
Control
IT6-A
M36
PROF. GONZAGA
possible for a
programmer to read a
production tape, create a
copy of it with certain
records changed, and
substitute it for the
production tape.
17. The service
organization does not have
a consistently applied
formal systems
development methodology
in place. Furthermore,
written user approval of the
systems prior to
implementation is not
always obtained by the
service organization,
program documentation is
not routinely prepared, and
program modifications are
sometimes placed into
production without
supervisory review or user
approval. As a result, there
is an increased risk that
areas of user concern
could be bypassed,
important control features
could be overlooked, and
programs may not be
properly tested or
designed to meet user
specifications.
18. Programmer
documentation describing
file layouts, record layouts,
subroutine calls, and other
data are not routinely
prepared. As a result, after
a system is developed,
program modifications or
enhancements are more
difficult to perform, and
such changes are more
likely to contain errors.
19. Programmers are able
to write and authorize their
own program changes to
be placed into production
without consistent review
or approval. Once a
program is assigned to a
programmer for
modification, the
comlpetion of testing is
generally at the
programmers discretion.
Test plans are not
consistently prepared, and
Output to other
application systems at
the service
organization should be
complete and
accurate.
IT6-A
M36
PROF. GONZAGA
Preventive security
controls are put
into place to
prevent intentional
or unintentional
disclosure,
alteration, or
destruction
(D.A.D.) of
sensitive
information.
Contingency
and Recovery
Plan Control
Processing and
operations are
analyzed to
determine the
maximum amount
of time that the
department and
organization can
operate without
each critical
system.
20. Application
programmer have write
access to a variety of
production source,
parameter, cataloged
procedure, and macro
libraries. This access is
not logged by ACF2.
Thus, programmers could
make unauthorized
changes to the source
code, which might be
placed into production at
a later time. 20.
Application programmer
have write access to a
variety of production
source, parameter,
cataloged procedure, and
macro libraries. This
access is not logged by
ACF2. Thus,
programmers could make
unauthorized changes to
the source code, which
might be placed into
production at a later time.
21. The service
organizations disaster
recovery plan has been
developed to address
only the destruction of the
main data center and the
IBM mainframe
computers. Network
recovery procedures are
not addressed, nor are
procedures defined in the
Card Production
Department and
Statement Production
Department. Also, the
existing plan was not
tested for a 20- month
period. When a service
auditors report does not
express an opinion as to
the operating
effectiveness of the
policies and procedures
in place at a service
service organization, an
IT6-A
M36
internal auditor should
recommend to the
process owner at the
client organization that
they ask the service
organization why the
service auditor did not
perform tests of operating
effectiveness. The most
common reason is that
the service organization
was avoiding the
additional fee that would
be charged by the service
auditor to perform
additional testing.
AUDIT OPINION:
In our opinion,
PROF. GONZAGA