Академический Документы
Профессиональный Документы
Культура Документы
IT6/M46
QUALITY
ASSURANCE
CONTROL
CONTROL
POLICIES &
TECHNIQUES
Reviewing quality
and accuracy of
output
DOCUMENTATION
CONTROL
Documentation
programmer
manuals
INTERNAL
AUDIT
Audit
of
the
companys controls
and compliance with
policies
and
procedures
CONTROL
CATEGORIES
RECOMMENDATIONS
Check and verify accuracy of
embossed and encoded credit
cards before distribution to
customers
DISASTER
RECOVERY
PLAN
Maintaining back-up
of important data
and files in case of
data loss due to
unfortunate events
by
creating
a
disaster recovery
team that will be
responsible
for
creating a back-up
plan
and
procedures as well
as establishing and
mainframe computers.
responsible for the following:
Network
recovery 1. Ensuring that compliance
procedures are not
requirements are covered,
addressed, nor are
risks
are
adequately
procedures defined in
managed and outlays are
the Card Production
kept in line with potential
Department
and
losses.
Statement Production 2. Identifying communications
Department. Also, the
and networking capabilities
existing plan was not
necessary for recovery
tested for a 20- month 3. Assigning system experts
period.
who will be responsible for
bringing
systems
and
services back into operation
during recovery
AUTHORIZATION
CONTROL
Only
rudimentary Install RACF or ACF2 and test
password
protection
for effectiveness to prevent
exists to ensure that the
unauthorized personnel from
policy is followed.
gaining access and modifying
System
security
software, data files or system
application
software,
software.
such as RACF or Assign a authorized and qualified
ACF2, is not installed
system programmer to make
to
help
prevent
changes to the system.
unauthorized
Documentation
for
the
modifications
to
procedures and modifications
application
software,
made should be kept and
data files, or system
maintained for data recording
software.
and back-up purposes as well
No method exists to
as to be able to perform proper
authorize or document
maintenance.
changes made by
systems programmers
to sensitive areas such
as
the
System
Parameter
Library
(SPL), which contains
key information for the
audit,
control
and
security of the MVS,
operating system
SEGREGATION
OF DUTIES
Ensuring that at
least two individuals
are responsible for
the separate parts
of any task to
prevent error and
fraud
SECURITY
CONTROL
ACCESS
CONTROL
Protecting
information system
from attacks against
the confidentiality,
integrity
and
availability
of
computer systems,
networks and data.
The
service The service organization Develop a security policy and
organization has
does not have a
assign an authorized personnel
recently
designated person who
to administer security
implemented an
has responsibility for Key cards should only be
access
control
administering security.
assigned to persons who are
facility program to 1. No
formalized,
authorized to access critical
control access to
documented security
operating areas.
programs
and
procedures exist for Security violations should be
data in the batch
the assignment of key
reviewed and violators should
and time-sharing
cards allowing access
be
given
warnings
or
environments
to critical operational
punishments
areas: access to Password security policy should
application systems
be established. Immediately
by
service
delete
passwords
and
organization
invalidate
keycards
of
employees through
terminated employees to avoid
the in-house security
unauthorized access.
system, or control of Each employee should have
programmer access
different and unique user IDs
through the ACF2
and passwords and should not
access
control
be shared with others
software.
Install access control facility to the
2. Security
violation
test computer to keep track of
reports
are
not
who are authorize to access the
routinely reviewed
computer and to keep a log of
3. Passwords are not
access in the computer.
routinely
changed.
Terminated
and
transferred employee
passwords and key
cards are not always
removed or modified
on the appropriate
systems on a timely
basis,
and
an
excessive number of
individuals
are
capable of performing
password
maintenance.
4. Groups
of
programmers share
the same user IDs
and passwords for
time-sharing
functions,
thus
decreasing
the
personal
accountability for the
use of the system.
5. The access control
facility
was
not
installed on the test
computer, which was
connected to the
production computer
and all disk files.
Systems programmers are System programmers should not
given
unrestricted
be given unrestricted access to
access to the System
the System Management
Management
Facility
Facility. Restrict their access to
(SMF), which is the
the facility and assign a
primary audit trail in the
personnel who can supervise
MVS operating system
the facility. Create logs of who
PASSWORD
CONTROL
SYSTEM
DEVELOPMEN
T CONTROL
determine
that
weak
passwords are identified are
disallowed.
2. Verify that users are
changing their passwords
regularly.
3. Verify that password file is
encrypted and that the
encryption key is properly
secured.
The service organization Develop a system development
does
not
have
a
plan/documentation. This is
consistently
applied
important to make sure that the
systems
development
system is in line with the
methodology in place.
strategic objectives of the firm.
during
system
Client organization sign-off Supervision
on systems prior to
development should be done to
implementation is not
ensure that system is properly
solicited by the service
implemented
and
no
organization.
Program
modifications are made.
documentation is not Testing of system should be
consistently
prepared.
assigned to personnel other
Program modifications are
that the programmer/developer/
often
placed
into Review of the test results should
production
without
also be done and should be
supervisory review or user
assigned to personnel other
approval.
than the programmer and
tester.
AUDIT OPINION:
In our opinion, Reliable Credit Card Inc. has a few specific control weaknesses. However, Reliable Credit Card Inc.
control weaknesses are fairly general and controls evaluated are adequate, appropriate, and effective to provide reasonable
assurance that risks are being managed and objectives are met. Also, a majority of the control objectives were achieved by
Reliable Card Inc.