it controls 1v

7/29/2019 IT Controls 1v

1/32

Application name

Application

name

1. General

Implementation date 2003

Interfaces to other applications (if yes, indicate

to which application).

No

System owner of application Coltech MIS

System manager/ administrator Terrence Ramkissoon

2. Input and processing

Is input to the application centralised,

decentralised or distributed?

Provide detail on location of input sites.

Is processing of the application centralised,

decentralised or distributed?

Provide detail on location of processing sites.

Identify the nature of the processing

environment: Mainframe Client-server Thick/ thin client Middleware PC processing (limited/ no processing onserver)

Does on-line or batch processing take place? On line processing

Is data downloaded for transfer to other

computers for purposes of input, processing or

output?

Provide detail on when, how and why transfertakes place.

Who is responsible for the maintenance of

standing data (e.g. tables, codes, tariffs) on the

application and how is it done (via application/

database centrally/ decentralised)?

Provide name and contact details of

responsible person/ persons.

Do full-time operators handle processing and

job scheduling or are operations automated?

Provide name and contact detail of operators,

if applicable.Is the database of the application integrated or

is there a separate database with a database

management system in place?

Integrated

Have there been any significant changes in the

past year with regards to the input and

processing of the application?

Provide detail on nature and date of change.

IT Manager -Terrance Ramkissoon

Yes - all users at the college

A. APPLICATION SPECIFIC QUESTIONS

Decentralised - Server situated at the

Ladysmith Campus

Distrubuted - information is captured at

Escourt,.Ezakheni and Ladysmith

PC processing linked to the main server

Updated on a regular basis - latest update

was 2 months ago busary module.

No - all data is on the server


2/32

Are there any changes foreseen within the next

year with regards to the logon and

authentication of users of the application?


3. Logon and authentication of users for

access to application

Describe the logon path of a user to theapplication.

Users access by remote connection

Is access to the application gained via a local

area network (LAN), a wide area network

(WAN) or is the application on a standalone

PC?

WAN

Who is responsible for security administration

of users (i.e. set-up of new users etc.)?

Provide names and contact details.


past year with regards to the logon and




year with regards to the logon and



4. Change control

Is the application:

In-house developed?A packaged system? Developed by end-users?If in-house developed: N/A

Does the auditee have access to the source

code?

Extent of program changes during the past

year (none, low, moderate, high).

N/A

Environments in use (production/

development/ test/ training etc.)

N/A

Who is responsible for maintenance of the

software?

Provide names, contact details and the basic

responsibilities of all programming staff.

If packaged system: Coltech MIS

Vendor/supplier of software.

Extent of customisation for auditee

implementation.

None

Extent and nature of post-implementation

customisation/ modifiacation?

None

Who is responsible for customisation of the

application (supplier or auditee)?

none

N/A

Changes are dependant on Dept of Higher

Education requirement

Packaged system

IT Manager -Terrance Ramkissoon

No




3/32

If decentralised/ distributed processing, how

are the systems at the sites being updated with

changes made?

Changes are updated on the server.

5. Database management (applicable if

separate databases)

Database management system Colted MIS

Is the database(s) centralised or

decentralised? Also indicate location of

database servers.

Centralised Ladysmith Campus

Who is the responsible for maintenance of the

database?


responsibilities of all database administrators

and staff with database related functions.

Is use made of a data warehouse or a

Management Information System (MIS)?

MIS

Is the data on the datawarehouse/ MIS

significant to the auditee (e.g. reports are used

for management decisions/ budget control;

data is used for transactional purposes).

Yes


past year with regards to the databases and

datawarehouse of the application?



year with regards to the databases and

datawarehouse of the application?


Who is the IT manager/ CIO of the

organisation?

Provide name and contact details.

Is the CIS function controlled by a

management steering committee group?

Identify the members of the steering group.

Provide a basic layout (organigram) of the

structure of the auditee, with specific emphasison the organisational placement of the CIS

function (IT department).

See diagram attached

Provide a basic layout (organigram) of the CIS

function/ IT department that indicates the

positions/ jobs in the department, both filled

and vacant as well as the reporting lines.

B. ORGANISATIONAL ISSUES

1. Organisation

Terrence Ramkissoon, Sanjay

Sew,Siyabonga Zuma & Suveer

Ramdharee

EXCO - Details of Exco

Yes- Management Information System



Terrence Ramkissoon & Sanjay Sew


4/32


5/32

Provide a basic lay-out of the network (network

diagram) identifying specifically the following (if

in place):

Authentication serversApplication server Database servers FTP servers Web servers Mail servers Other storage servers Firewalls and proxies Routers and switches Demilitarized zone (DMZ) RAS servers Dial-up modems Third party connections

Do external parties access the network?

Purpose of the access (for whatservices)

Access method (modem/ RAS/ thirdparty connection etc.)?

Who is the responsible for network

administration?


responsibilities of all network administrators

and staff with network related functions.


past year with regards to the network?



year with regards to the network?

Provide detail on nature and date.

Name of the application Description of the application

Name of the

application

being replaced

(if applicable)



D. SYSTEMS UNDER DEVELOPMENT OR PROCUREMENT

1. New application systems (Complete the following table for all applications under development or that is in t

Diagram required

SITA, Infoguard

Terrence Ramkissoon

Yes


6/32

Name of the application and module/

subsystem Description of amendment

Reason for

amendment

3) Has the disaster recovery plan been tested? If so, review results of test.

6) Confirm access to computer facility is secured

7) Confirm server room has fire detectors, extinguishers, etc.

8) Review the employee termination process and confirm access to system prevented imm

5) Password controls

a) Confirm these are not displayed during logon process

b) Confirm users are logged off automatically after a specified length of time

c) Confirm password complexity sufficient

1) Is there an approved IT policy?2) If so, have users signed declaration forms for acknowledgement of the policy?

2) Are there back-up and disaster recovery procedures/plan in place?

4) Are logs(audit trails) of application processing, system accesses, and computer performa

D. SYSTEMS UNDER DEVELOPMENT OR PROCUREMENT

2. Major amendments to existing application systems (Complete the following table for al

E. OTHER GENERAL QUESTIONS


7/32

Application

name

Application

name


8/32


9/32


10/32


11/32

Status of

development/

acquisition

If auditee will

not perform

development

or

customisation, provide

detail on the

consultant or

supplier

responsible.

Planned

implemen

tation

date

Project

manager/contact

person

and

contact

detail

e process of being acquired)


12/32

Status of

amendment

Planned

implementatio

n date

manager/

contact

person

and

contact

detail

No

No

Not

yes

yes however the server room is accomodates by 3 technicians

No, fire detectors inside

diately Not terminated immediat

Yes

Not displayed

Yes no minutes to verify t

No

nce maintaine Audit trail are maintained

major amendments in process/ planned to


13/32

b Questions Yes/No

Did the Municipality take any corrective action.

Does the Munucipality has the minutes from

the past year for content relevant to IT

Are there business & IT Strategic Planning

initiatives

Are there any follow up plans

Are there IT initiatived on the way

Were there any outsourced IT services

Is there partners or bunisses assossiates with

whom the Municipality shares information

Did the Municipality enter into any business

associate contract or chain of trust agreement

Were there prior assessments, audit reports,

findings and recommendations of IT activities


14/32

Is there any exchange of data between the

Municipality and the external entities

What are the job descriptions for IT positions

including Security officers

Is there training provided to the IT staff

Are the policies, procedures, standards and

guidelines managed, planned and maintained

properly

Does the Municipality has the current IT

Organisation chart

Does the IT function inititate or authorises

transactions

Does the Muni


15/32

Where data center is located, are the

combustible materials stored above.

Are there physical controls at the Data center,

computer room, network access pointsDoes all the doors into the data center

adequately restricts access

Do the visitors sign at the entrance and records

maintianed

Are there techniques in place used to restrict

data center access

Does the municipality has the environmental

controls in place

a - fire extinguisher

b - uninterrupted power supply

c - Emergenncy Power

d - Temperature controllers

e - Emergency powere cut-off switches

f - Smoke and water detectors

g - Emergency lighting

Are the environmental controls regularly tested

and maintained.

Does the municipality has the equipment

cooling system

Is there a reoutine maintenance of the systemequipment

Does the Municipaility make use of remote

consoles.

Is the physical access limted to only the

operators or appropriate supervisors

Are system resources protected accross all

platfoms, media and transmissions.


16/32

Does the municipality makes use of automated

authorisation and authentication mechanisms

Are there users with the privilegde access

authorities

Does the Municipality has the documentation

for intrusion protection/detection and IT

infrastrure managementDoes the Municipality has the logging and

auditing systems


17/32


18/32


19/32


20/32


21/32

Procedures

IT General Controls (ITGC) address the overall operation and activities of the IT

function and its management and governance. The ITGC audit will identify and assessgeneral controls throughout the organizations IT infrastructure. The auditor(s) will

inquire, observe, and gather evidence to obtain an understanding of the IT control

environment. COBIT provides the general framework for the assessment and is

augmented as necessary with applicable regulations, legislation, standards, policies,

agreements, and related guidance.

Review prior assessments, audit reports, findings, and recommendations of IT

activities for two years to include:

Internal audit reports

Regulatory agency reports

Consulting reports

Assess appropriateness of corrective actions has taken. Document the action taken for

each recommendation and determine whether any prior year's comments should be

carried forward to the current year's comments.

Identify the technology platforms in use and the applications processed on each

platform. Platform information for includes:

Equipment manufacturer and model

Quantity

Software applications information includes:

Application vendor and name

Version / Release

Review Board of Directors and Committee agenda and minutes from the past year for

content relevant to IT. Establish and document follow-up plans as appropriate.

Review Business & IT Strategic Planning Initiatives.

Establish and document follow-up plans as appropriate.

Review status of IT initiatives underway (changes in business operations or IT

infrastructure, outsourcing initiatives, web strategies, etc.) and note those impacting

risks and controls.

Review the status of outsourced IT services and respective vendor(s) and adjust audit

procedures as appropriate to address issues affected by outsourcing.

Review the list of trading partners / business associates with whom the organization

shares or exchanges electronic information, and assess arrangements for information

security and compliance across organizational boundaries.

Review example business associate contract / chain of trust agreements


22/32

Assess the roles and related risks for key personnel responsible for the exchange of

data / information with external entities.

Review the job descriptions for IT positions including Security and Privacy Officers.

Assess their appropriateness for the roles identified, how well they address separation

of duties, and other considerations.

Assess the general state of training provided to IT staff and the related policies,

procedures, and plans, schedules, and training records. (See also Security Training in

the Security and Application Systems Sections.)

Assess the management, maintenance, planning, and appropriateness of Documented

Policies, Procedures, Standards, and Guidelines including, but not limited to:

a. General IT and IS Policies and Procedures

b. All Security Policies including HIPAA, HITECH. State and other Security

Requirements, etc.

c. All Privacy Policies including HIPAA, HITECH. State and other Privacy Requirements,

etc.

d. Policies and Procedures for Release of Informatione. Employee Termination Process

f. Personnel Practices e.g., clearance policies and procedures (background check,

etc.), visitor and maintenance personnel control, disciplinary policies

g. Vendor Policies and Procedures

h. Change management policies and procedures

IT Organization and Operations

Obtain the current IT Organization Chart(s) and assess segregation of duties for key

functions (i.e.: system analysis, development, programming, testing, operations,

quality).

Review the current IT organization chart(s) and assess segregation of duties for key

functions (i.e.: system analysis, development, programming, testing, operations,quality).

Review business process flows / diagrams for IT-related activities and assess IT process

controls as identified.

Through discussion with IT personnel, evaluate the segregation of critical processing

functions.

Ensure the IT function is a support group within the organization and does not initiate

or authorize transactions.

Determine whether an IT steering committee or an equivalent committee provides

effective IT governance within the organization.

Note: The physical environment reviewed will consider the size and complexity of the

organization and its operations, and the types of technology in use or coming into use

by the organization and its affiliates, partners, and related groups. Consider also the

areas where technology is used and whether the locations present risks due to people

and activities and/or natural or man-made threats.


23/32

Evaluate the data center location(s) and the host building(s). Ensure combustible

materials are not stored on floors above or below the data center. If combustible

materials are stored above, evaluate the fire suppression system, i.e. sprinkler system

will result in water damage to floors below.

Tour the data center(s). Document the measures taken to control physical access to

such areas as the data center, computer room, telecommunications, wiring closets,

network access points

Identify all doors into the data center and ensure each adequately restricts access.

Ensure all visitors, including vendors, are required to sign-in upon entry, as escorted

as appropriate, and visitor records are retained.

Identify and observe the techniques in place (surveillance cameras, security guards,

electronic card keys, etc.) used to restrict data center access.

Determine whether the following environmental controls are in place and operational:

a. Fire suppression equipment (e.g., halon system or dry line water suppression and

extinguishers)

b. Uninterruptible power supply (UPS)

c. Emergency Power (e.g., generators)

d. Temperature and humidity controllers including backup HAV

e. Emergency power cut-off switches

f. Smoke and water detectors

g. Emergency lighting

Ensure the above are regularly tested and maintenance contracts are in force.

Identify the equipment cooling system(s). If water-cooled, assess the protection for

leakage and whether a backup water chiller exists.

Assess the routine maintenance of system equipment to ensure its performance asexpected and to monitor fragile or unstable systems.

Identify the location(s) of consoles for system and network operation and

maintenance, and assess the use and control of remote consoles.

Access or Security Controls

Physical Access

Ensure physical access to computer room(s) is limited to operators and appropriate

supervisors.

a. Locked computer labs that require coded ID cards or keys for entry

b. Manual key locks on the computer

c. Restricted access to program libraries, and logs of all program access

Assess the completeness and appropriateness of Facility Security Standards for

authentication, personnel, access, etc.

Electronic Access

Determine how system resources (i.e., batch, on-line transactions, datasets, and

sensitive utilities) are protected across all platforms, media, and transmissions.

Identify all applications that provide their own security mechanisms. Ensure

appropriate capabilities are implemented to include:

Unique user IDs assigned to all users


24/32

Unattended devices automatically logged off after a specified period of inactivity.

Users are forced to change passwords within a specified timeframe.

Old passwords cannot be reused.

Passwords are properly masked on the system.

Review and assess the description of user authentication mechanismssecure ID,

biometric, CHAP/PAP, etc.

Identify and review the use of automated authorization and authentication

mechanisms, profile templates, etc.

Assess the connectivity of remote, dial-up, wireless, mobile, and other systems that

provide access to sensitive data and the specific security techniques in place for

remote or mobile access and user authentication.

Review the procedures to authorize and revoke system access. Ensure proper

authorization is obtained prior to granting user access to the system resources.

Evaluate the procedures established to remove user IDs and passwords from the

system when an employee leaves and to adjust access privileges as user roles and

responsibilities change.

Select a sample of users in the system's security package and ensure system access is

appropriate and properly authorized.

Select a sample of sensitive data elements and ensure appropriate access

management.

Identify all users with privileged access authorities and assess the procedures for

monitoring all activities of privileged users.

Review documentation for intrusion protection / detection and IT infrastructure

management / monitoring systems. (internal and external network infrastructure)

Review descriptions of logging and auditing systems and assess their appropriateness.

Assess the logging of security related information and the identification and

management of security incidents or violations. Review sample logs and reporting for

incident assessment and remediation.

Review the documentation for the Incident Response Team and Incident Response

Process related to protected information loss, theft, disclosure, security breach,

notification procedures, etc.

Review the incident response tracking mechanism and records of security incidents,

and assess the timeliness and appropriateness of response, recovery, notification,

follow-up review, corrective procedures, etc.

Assess the information security training provided to IT staff and the related policies,

procedures, and plans, schedules, and training records.

Assess the information security training provided to non-IT staff and the related

policies, procedures, and plans, schedules, and training records.

Assess the results of the most recent security penetration testing and the methods

used.

Systems Development and Documentation Controls


25/32

Obtain an understanding of the systems development, maintenance, and change

management processes.

Assess the written procedures (in the overall policies and procedures manual)

outlining the steps followed to modify IT systems. Ensure these steps include:

d. proper approval to implement program changes;

e. appropriate documentation describing the nature and logic of proposed changes;f. proper methodology for testing, debugging, and approving all changes on a test

system before implementing the changes in production systems; and

g. a log is maintained of all system enhancements and modifications.

Assess the training for security of online applications, the appropriateness for

applicable personnel, and the extent to which it is integrated with the building,

maintenance, testing, implementation, and use of online systems processing sensitive

and protected information.

Assess the methodology for approving and developing new application systems.

Ensure the methodology applies to all types of systems.

Assess the Systems Development Life Cycle as performed by IT personnel. Consider

the following:

a. User participation and sign-off

b. Acceptance Testing

c. Proper review and approval at the completion of key stages in the development

process and documentation requirements

Select a sample of systems in the development life cycle process and review the

development documentation to assess compliance with the SDLC methodology.

Review the IT change management processes and procedures to ensure critical

functions are performed:

a. All changes to programs, files, and devices require written authorization before they

are implemented.

b. All changes go through a single control point.

c. Only specified personnel are authorized to approve and apply changes.

d. Users accept the change, via sign-off, prior to implementation of any change in

production.

e. Documentation of all changes clearly identifies the trail from initiation through

every step including post change acceptance.

f. Processes are in place to ensure agreement on priority of change requests.

g. Changes are implemented into the production environment by personnel not

responsible for making the changes (segregation of duties).

h. Procedures are in place for emergency changes.

Select a sample of recent program changes and review the change documentation for

compliance with application program change procedures.

Assess the procedures in place to routinely test for unauthorized or undocumented

program changes (e.g. by comparison of the working program to the approved code.


26/32

Evaluate the separation of the test environment from production systems and data,

and ensure changes are thoroughly tested and approved prior to moving the changed

code into the production environment.

Review the application program change turnover procedures performed by the

independent group responsible for implementing the application changes into the

production environment.

Assess the emergency change procedures and whether emergency changes aremigrated through segregated libraries to enable management review and approval of

the change.

Select a sample of emergency program changes and assess compliance with

established procedures.

Assess the procedures for making routine rate changes (e.g., tax rates) to application

programs or tables.

Assess whether programming standards include naming conventions and coding

conventions.

Identify the software package (i.e., CA-Librarian) on the processing system to provide

security over production libraries for source programs, JCL, and other files.

Identify the functions / individuals responsible for hardware and system software

controls built into IT equipment by the manufacturer which may include:

a. Self-diagnosis

b. Regular maintenance

c. Echo check

d. Duplicate process check

e. Parity check

Assess the processes to identify and address errors that may occur in operating

systems and system software.a. Logic occurs before the operational stage

b. Coding detected during the programs testing (debugging) stage

c. Modification can occur at any time, even while processing. If not handled properly,

program modifications can produce unexpected operations and invalid output and

data

o Make inquiry of any unauthorized program modifications (which is the most

ominous type of software error)

o Assess completeness of records kept of all modifications and records for any post

modification debugging

Determine through inquiry the process for scheduling production batch processing.

Ensure user authorization of all changes to the production schedule. Select a sample of

changes and review them for compliance to the scheduling procedures.

If an automatic scheduler is not used, determine how production processing is

controlled.

Determine how the computer operator ensures production processing properly

completes.


27/32

Identify the various output media in use and assess the processes for distribution of

production-processing output to users. Ensure sensitive data is properly controlled.

Backup/Recovery

Review the Business Continuity Plan and Disaster Recovery Plan and ensure the

systems and communications backup and recovery procedures are appropriately

integrated in the plan.

Ensure system and incremental backups are performed on a regular basis. Assess the

frequency of backups and determine through inquiry and review of documentation

whether all files and programs are backed up properly. Ensure on-line transaction

journals are backed up to provide recovery of transactions that update the databases.

Review the description of backup and archiving system(s)

Assess the procedures to ensure backup copies of system, programs, and data files are

rotated to a secure offsite storage location on a scheduled basis. Assess the

procedures for verifying the inventory of the backup data.

Identify the media and processes involved in backup and recovery and assess their

effectiveness. If a tape management system (TMS) is part of the processing system

and provides an inventory of tapes by location, observe that tapes maintained offsite

are properly segregated on the TMS.

Review the results of system recovery testing to ensure a successful test was

performed and documented within the prior twelve months.

Business Continuity Planning and Disaster Recovery

Review the business continuity and resumption plans. Through discussions with

management and review of the business continuity and resumption plans, determine

whether the plans are current and include the necessary key components.

Review the documentation of the results of the most recent test of the business

resumption plan determine the dates of prior plans. Document the frequency and

success of the tests. If the plan has not been tested, inquire as to the plans for testing.

Assess IT managements plans for and roles in assuring business continuity and the

recovery of IT resources. Determine if the plan includes recovery of IT at a vendor site

and review the service agreement.

Evaluate the disaster recovery plan for the IT division. Ensure application recovery is

based on risk (applications critical to the organization are recovered first).

Evaluate the recovery service vendor agreement(s) to ensure they provide for

adequate infrastructure to recover the organizations IT resources and operations.

Ensure telecommunications are included and covered during testing.

Review the results of recovery testing of IT operations at the vendor site(s). Ensure

tests were successfully completed and results documented.

Telecommunications

Review technical configurations, charts, schematics, network diagrams (internal and

external network infrastructure).


28/32

Review documentation regarding approved remote communication channels,

mechanisms, protocols, and standards (i.e., extranet, VPN, SSH, FTP, Wi-Fi, etc.)

Review procedures for setting up, siting, and managing networked work stations and

portable and mobile devices. Assess the security of procedures for monitoring, adding,

removing, and configuring all devices on the network.

Review description of messaging architecture, authentication, encryption methods,

auditing/logging.

Determine whether telecommunications provide a reliable and secure environment.

Consider load balancing devices, redundant systems, and alternate procedures for the

continuation of telecommunication operations.

Determine if EDI (Electronic Data Interchange) is utilized. If so, evaluate security and

authenticity of interchange.


29/32

Auditor's Comment


30/32


31/32


32/32

it controls 1v

Documents