it controls 1v
TRANSCRIPT
-
7/29/2019 IT Controls 1v
1/32
Application name
Application
name
1. General
Implementation date 2003
Interfaces to other applications (if yes, indicate
to which application).
No
System owner of application Coltech MIS
System manager/ administrator Terrence Ramkissoon
2. Input and processing
Is input to the application centralised,
decentralised or distributed?
Provide detail on location of input sites.
Is processing of the application centralised,
decentralised or distributed?
Provide detail on location of processing sites.
Identify the nature of the processing
environment: Mainframe Client-server Thick/ thin client Middleware PC processing (limited/ no processing onserver)
Does on-line or batch processing take place? On line processing
Is data downloaded for transfer to other
computers for purposes of input, processing or
output?
Provide detail on when, how and why transfertakes place.
Who is responsible for the maintenance of
standing data (e.g. tables, codes, tariffs) on the
application and how is it done (via application/
database centrally/ decentralised)?
Provide name and contact details of
responsible person/ persons.
Do full-time operators handle processing and
job scheduling or are operations automated?
Provide name and contact detail of operators,
if applicable.Is the database of the application integrated or
is there a separate database with a database
management system in place?
Integrated
Have there been any significant changes in the
past year with regards to the input and
processing of the application?
Provide detail on nature and date of change.
IT Manager -Terrance Ramkissoon
Yes - all users at the college
A. APPLICATION SPECIFIC QUESTIONS
Decentralised - Server situated at the
Ladysmith Campus
Distrubuted - information is captured at
Escourt,.Ezakheni and Ladysmith
PC processing linked to the main server
Updated on a regular basis - latest update
was 2 months ago busary module.
No - all data is on the server
-
7/29/2019 IT Controls 1v
2/32
Are there any changes foreseen within the next
year with regards to the logon and
authentication of users of the application?
Provide detail on nature and date of change.
3. Logon and authentication of users for
access to application
Describe the logon path of a user to theapplication.
Users access by remote connection
Is access to the application gained via a local
area network (LAN), a wide area network
(WAN) or is the application on a standalone
PC?
WAN
Who is responsible for security administration
of users (i.e. set-up of new users etc.)?
Provide names and contact details.
Have there been any significant changes in the
past year with regards to the logon and
authentication of users of the application?
Provide detail on nature and date of change.
Are there any changes foreseen within the next
year with regards to the logon and
authentication of users of the application?
Provide detail on nature and date of change.
4. Change control
Is the application:
In-house developed?A packaged system? Developed by end-users?If in-house developed: N/A
Does the auditee have access to the source
code?
Extent of program changes during the past
year (none, low, moderate, high).
N/A
Environments in use (production/
development/ test/ training etc.)
N/A
Who is responsible for maintenance of the
software?
Provide names, contact details and the basic
responsibilities of all programming staff.
If packaged system: Coltech MIS
Vendor/supplier of software.
Extent of customisation for auditee
implementation.
None
Extent and nature of post-implementation
customisation/ modifiacation?
None
Who is responsible for customisation of the
application (supplier or auditee)?
none
N/A
Changes are dependant on Dept of Higher
Education requirement
Packaged system
IT Manager -Terrance Ramkissoon
No
Changes are dependant on Dept of Higher
Education requirement
-
7/29/2019 IT Controls 1v
3/32
If decentralised/ distributed processing, how
are the systems at the sites being updated with
changes made?
Changes are updated on the server.
5. Database management (applicable if
separate databases)
Database management system Colted MIS
Is the database(s) centralised or
decentralised? Also indicate location of
database servers.
Centralised Ladysmith Campus
Who is the responsible for maintenance of the
database?
Provide names, contact details and the basic
responsibilities of all database administrators
and staff with database related functions.
Is use made of a data warehouse or a
Management Information System (MIS)?
MIS
Is the data on the datawarehouse/ MIS
significant to the auditee (e.g. reports are used
for management decisions/ budget control;
data is used for transactional purposes).
Yes
Have there been any significant changes in the
past year with regards to the databases and
datawarehouse of the application?
Provide detail on nature and date of change.
Are there any changes foreseen within the next
year with regards to the databases and
datawarehouse of the application?
Provide detail on nature and date of change.
Who is the IT manager/ CIO of the
organisation?
Provide name and contact details.
Is the CIS function controlled by a
management steering committee group?
Identify the members of the steering group.
Provide a basic layout (organigram) of the
structure of the auditee, with specific emphasison the organisational placement of the CIS
function (IT department).
See diagram attached
Provide a basic layout (organigram) of the CIS
function/ IT department that indicates the
positions/ jobs in the department, both filled
and vacant as well as the reporting lines.
B. ORGANISATIONAL ISSUES
1. Organisation
Terrence Ramkissoon, Sanjay
Sew,Siyabonga Zuma & Suveer
Ramdharee
EXCO - Details of Exco
Yes- Management Information System
Changes are dependant on Dept of Higher
Education requirement
Terrence Ramkissoon & Sanjay Sew
-
7/29/2019 IT Controls 1v
4/32
-
7/29/2019 IT Controls 1v
5/32
Provide a basic lay-out of the network (network
diagram) identifying specifically the following (if
in place):
Authentication serversApplication server Database servers FTP servers Web servers Mail servers Other storage servers Firewalls and proxies Routers and switches Demilitarized zone (DMZ) RAS servers Dial-up modems Third party connections
Do external parties access the network?
Purpose of the access (for whatservices)
Access method (modem/ RAS/ thirdparty connection etc.)?
Who is the responsible for network
administration?
Provide names, contact details and the basic
responsibilities of all network administrators
and staff with network related functions.
Have there been any significant changes in the
past year with regards to the network?
Provide detail on nature and date of change.
Are there any changes foreseen within the next
year with regards to the network?
Provide detail on nature and date.
Name of the application Description of the application
Name of the
application
being replaced
(if applicable)
Changes are dependant on Dept of Higher
Education requirement
D. SYSTEMS UNDER DEVELOPMENT OR PROCUREMENT
1. New application systems (Complete the following table for all applications under development or that is in t
Diagram required
SITA, Infoguard
Terrence Ramkissoon
Yes
-
7/29/2019 IT Controls 1v
6/32
Name of the application and module/
subsystem Description of amendment
Reason for
amendment
3) Has the disaster recovery plan been tested? If so, review results of test.
6) Confirm access to computer facility is secured
7) Confirm server room has fire detectors, extinguishers, etc.
8) Review the employee termination process and confirm access to system prevented imm
5) Password controls
a) Confirm these are not displayed during logon process
b) Confirm users are logged off automatically after a specified length of time
c) Confirm password complexity sufficient
1) Is there an approved IT policy?2) If so, have users signed declaration forms for acknowledgement of the policy?
2) Are there back-up and disaster recovery procedures/plan in place?
4) Are logs(audit trails) of application processing, system accesses, and computer performa
D. SYSTEMS UNDER DEVELOPMENT OR PROCUREMENT
2. Major amendments to existing application systems (Complete the following table for al
E. OTHER GENERAL QUESTIONS
-
7/29/2019 IT Controls 1v
7/32
Application
name
Application
name
-
7/29/2019 IT Controls 1v
8/32
-
7/29/2019 IT Controls 1v
9/32
-
7/29/2019 IT Controls 1v
10/32
-
7/29/2019 IT Controls 1v
11/32
Status of
development/
acquisition
If auditee will
not perform
development
or
customisation, provide
detail on the
consultant or
supplier
responsible.
Planned
implemen
tation
date
Project
manager/contact
person
and
contact
detail
e process of being acquired)
-
7/29/2019 IT Controls 1v
12/32
Status of
amendment
Planned
implementatio
n date
manager/
contact
person
and
contact
detail
No
No
Not
yes
yes however the server room is accomodates by 3 technicians
No, fire detectors inside
diately Not terminated immediat
Yes
Not displayed
Yes no minutes to verify t
No
nce maintaine Audit trail are maintained
major amendments in process/ planned to
-
7/29/2019 IT Controls 1v
13/32
b Questions Yes/No
Did the Municipality take any corrective action.
Does the Munucipality has the minutes from
the past year for content relevant to IT
Are there business & IT Strategic Planning
initiatives
Are there any follow up plans
Are there IT initiatived on the way
Were there any outsourced IT services
Is there partners or bunisses assossiates with
whom the Municipality shares information
Did the Municipality enter into any business
associate contract or chain of trust agreement
Were there prior assessments, audit reports,
findings and recommendations of IT activities
-
7/29/2019 IT Controls 1v
14/32
Is there any exchange of data between the
Municipality and the external entities
What are the job descriptions for IT positions
including Security officers
Is there training provided to the IT staff
Are the policies, procedures, standards and
guidelines managed, planned and maintained
properly
Does the Municipality has the current IT
Organisation chart
Does the IT function inititate or authorises
transactions
Does the Muni
-
7/29/2019 IT Controls 1v
15/32
Where data center is located, are the
combustible materials stored above.
Are there physical controls at the Data center,
computer room, network access pointsDoes all the doors into the data center
adequately restricts access
Do the visitors sign at the entrance and records
maintianed
Are there techniques in place used to restrict
data center access
Does the municipality has the environmental
controls in place
a - fire extinguisher
b - uninterrupted power supply
c - Emergenncy Power
d - Temperature controllers
e - Emergency powere cut-off switches
f - Smoke and water detectors
g - Emergency lighting
Are the environmental controls regularly tested
and maintained.
Does the municipality has the equipment
cooling system
Is there a reoutine maintenance of the systemequipment
Does the Municipaility make use of remote
consoles.
Is the physical access limted to only the
operators or appropriate supervisors
Are system resources protected accross all
platfoms, media and transmissions.
-
7/29/2019 IT Controls 1v
16/32
Does the municipality makes use of automated
authorisation and authentication mechanisms
Are there users with the privilegde access
authorities
Does the Municipality has the documentation
for intrusion protection/detection and IT
infrastrure managementDoes the Municipality has the logging and
auditing systems
-
7/29/2019 IT Controls 1v
17/32
-
7/29/2019 IT Controls 1v
18/32
-
7/29/2019 IT Controls 1v
19/32
-
7/29/2019 IT Controls 1v
20/32
-
7/29/2019 IT Controls 1v
21/32
Procedures
IT General Controls (ITGC) address the overall operation and activities of the IT
function and its management and governance. The ITGC audit will identify and assessgeneral controls throughout the organizations IT infrastructure. The auditor(s) will
inquire, observe, and gather evidence to obtain an understanding of the IT control
environment. COBIT provides the general framework for the assessment and is
augmented as necessary with applicable regulations, legislation, standards, policies,
agreements, and related guidance.
Review prior assessments, audit reports, findings, and recommendations of IT
activities for two years to include:
Internal audit reports
Regulatory agency reports
Consulting reports
Assess appropriateness of corrective actions has taken. Document the action taken for
each recommendation and determine whether any prior year's comments should be
carried forward to the current year's comments.
Identify the technology platforms in use and the applications processed on each
platform. Platform information for includes:
Equipment manufacturer and model
Quantity
Software applications information includes:
Application vendor and name
Version / Release
Review Board of Directors and Committee agenda and minutes from the past year for
content relevant to IT. Establish and document follow-up plans as appropriate.
Review Business & IT Strategic Planning Initiatives.
Establish and document follow-up plans as appropriate.
Review status of IT initiatives underway (changes in business operations or IT
infrastructure, outsourcing initiatives, web strategies, etc.) and note those impacting
risks and controls.
Review the status of outsourced IT services and respective vendor(s) and adjust audit
procedures as appropriate to address issues affected by outsourcing.
Review the list of trading partners / business associates with whom the organization
shares or exchanges electronic information, and assess arrangements for information
security and compliance across organizational boundaries.
Review example business associate contract / chain of trust agreements
-
7/29/2019 IT Controls 1v
22/32
Assess the roles and related risks for key personnel responsible for the exchange of
data / information with external entities.
Review the job descriptions for IT positions including Security and Privacy Officers.
Assess their appropriateness for the roles identified, how well they address separation
of duties, and other considerations.
Assess the general state of training provided to IT staff and the related policies,
procedures, and plans, schedules, and training records. (See also Security Training in
the Security and Application Systems Sections.)
Assess the management, maintenance, planning, and appropriateness of Documented
Policies, Procedures, Standards, and Guidelines including, but not limited to:
a. General IT and IS Policies and Procedures
b. All Security Policies including HIPAA, HITECH. State and other Security
Requirements, etc.
c. All Privacy Policies including HIPAA, HITECH. State and other Privacy Requirements,
etc.
d. Policies and Procedures for Release of Informatione. Employee Termination Process
f. Personnel Practices e.g., clearance policies and procedures (background check,
etc.), visitor and maintenance personnel control, disciplinary policies
g. Vendor Policies and Procedures
h. Change management policies and procedures
IT Organization and Operations
Obtain the current IT Organization Chart(s) and assess segregation of duties for key
functions (i.e.: system analysis, development, programming, testing, operations,
quality).
Review the current IT organization chart(s) and assess segregation of duties for key
functions (i.e.: system analysis, development, programming, testing, operations,quality).
Review business process flows / diagrams for IT-related activities and assess IT process
controls as identified.
Through discussion with IT personnel, evaluate the segregation of critical processing
functions.
Ensure the IT function is a support group within the organization and does not initiate
or authorize transactions.
Determine whether an IT steering committee or an equivalent committee provides
effective IT governance within the organization.
Note: The physical environment reviewed will consider the size and complexity of the
organization and its operations, and the types of technology in use or coming into use
by the organization and its affiliates, partners, and related groups. Consider also the
areas where technology is used and whether the locations present risks due to people
and activities and/or natural or man-made threats.
-
7/29/2019 IT Controls 1v
23/32
Evaluate the data center location(s) and the host building(s). Ensure combustible
materials are not stored on floors above or below the data center. If combustible
materials are stored above, evaluate the fire suppression system, i.e. sprinkler system
will result in water damage to floors below.
Tour the data center(s). Document the measures taken to control physical access to
such areas as the data center, computer room, telecommunications, wiring closets,
network access points
Identify all doors into the data center and ensure each adequately restricts access.
Ensure all visitors, including vendors, are required to sign-in upon entry, as escorted
as appropriate, and visitor records are retained.
Identify and observe the techniques in place (surveillance cameras, security guards,
electronic card keys, etc.) used to restrict data center access.
Determine whether the following environmental controls are in place and operational:
a. Fire suppression equipment (e.g., halon system or dry line water suppression and
extinguishers)
b. Uninterruptible power supply (UPS)
c. Emergency Power (e.g., generators)
d. Temperature and humidity controllers including backup HAV
e. Emergency power cut-off switches
f. Smoke and water detectors
g. Emergency lighting
Ensure the above are regularly tested and maintenance contracts are in force.
Identify the equipment cooling system(s). If water-cooled, assess the protection for
leakage and whether a backup water chiller exists.
Assess the routine maintenance of system equipment to ensure its performance asexpected and to monitor fragile or unstable systems.
Identify the location(s) of consoles for system and network operation and
maintenance, and assess the use and control of remote consoles.
Access or Security Controls
Physical Access
Ensure physical access to computer room(s) is limited to operators and appropriate
supervisors.
a. Locked computer labs that require coded ID cards or keys for entry
b. Manual key locks on the computer
c. Restricted access to program libraries, and logs of all program access
Assess the completeness and appropriateness of Facility Security Standards for
authentication, personnel, access, etc.
Electronic Access
Determine how system resources (i.e., batch, on-line transactions, datasets, and
sensitive utilities) are protected across all platforms, media, and transmissions.
Identify all applications that provide their own security mechanisms. Ensure
appropriate capabilities are implemented to include:
Unique user IDs assigned to all users
-
7/29/2019 IT Controls 1v
24/32
Unattended devices automatically logged off after a specified period of inactivity.
Users are forced to change passwords within a specified timeframe.
Old passwords cannot be reused.
Passwords are properly masked on the system.
Review and assess the description of user authentication mechanismssecure ID,
biometric, CHAP/PAP, etc.
Identify and review the use of automated authorization and authentication
mechanisms, profile templates, etc.
Assess the connectivity of remote, dial-up, wireless, mobile, and other systems that
provide access to sensitive data and the specific security techniques in place for
remote or mobile access and user authentication.
Review the procedures to authorize and revoke system access. Ensure proper
authorization is obtained prior to granting user access to the system resources.
Evaluate the procedures established to remove user IDs and passwords from the
system when an employee leaves and to adjust access privileges as user roles and
responsibilities change.
Select a sample of users in the system's security package and ensure system access is
appropriate and properly authorized.
Select a sample of sensitive data elements and ensure appropriate access
management.
Identify all users with privileged access authorities and assess the procedures for
monitoring all activities of privileged users.
Review documentation for intrusion protection / detection and IT infrastructure
management / monitoring systems. (internal and external network infrastructure)
Review descriptions of logging and auditing systems and assess their appropriateness.
Assess the logging of security related information and the identification and
management of security incidents or violations. Review sample logs and reporting for
incident assessment and remediation.
Review the documentation for the Incident Response Team and Incident Response
Process related to protected information loss, theft, disclosure, security breach,
notification procedures, etc.
Review the incident response tracking mechanism and records of security incidents,
and assess the timeliness and appropriateness of response, recovery, notification,
follow-up review, corrective procedures, etc.
Assess the information security training provided to IT staff and the related policies,
procedures, and plans, schedules, and training records.
Assess the information security training provided to non-IT staff and the related
policies, procedures, and plans, schedules, and training records.
Assess the results of the most recent security penetration testing and the methods
used.
Systems Development and Documentation Controls
-
7/29/2019 IT Controls 1v
25/32
Obtain an understanding of the systems development, maintenance, and change
management processes.
Assess the written procedures (in the overall policies and procedures manual)
outlining the steps followed to modify IT systems. Ensure these steps include:
d. proper approval to implement program changes;
e. appropriate documentation describing the nature and logic of proposed changes;f. proper methodology for testing, debugging, and approving all changes on a test
system before implementing the changes in production systems; and
g. a log is maintained of all system enhancements and modifications.
Assess the training for security of online applications, the appropriateness for
applicable personnel, and the extent to which it is integrated with the building,
maintenance, testing, implementation, and use of online systems processing sensitive
and protected information.
Assess the methodology for approving and developing new application systems.
Ensure the methodology applies to all types of systems.
Assess the Systems Development Life Cycle as performed by IT personnel. Consider
the following:
a. User participation and sign-off
b. Acceptance Testing
c. Proper review and approval at the completion of key stages in the development
process and documentation requirements
Select a sample of systems in the development life cycle process and review the
development documentation to assess compliance with the SDLC methodology.
Review the IT change management processes and procedures to ensure critical
functions are performed:
a. All changes to programs, files, and devices require written authorization before they
are implemented.
b. All changes go through a single control point.
c. Only specified personnel are authorized to approve and apply changes.
d. Users accept the change, via sign-off, prior to implementation of any change in
production.
e. Documentation of all changes clearly identifies the trail from initiation through
every step including post change acceptance.
f. Processes are in place to ensure agreement on priority of change requests.
g. Changes are implemented into the production environment by personnel not
responsible for making the changes (segregation of duties).
h. Procedures are in place for emergency changes.
Select a sample of recent program changes and review the change documentation for
compliance with application program change procedures.
Assess the procedures in place to routinely test for unauthorized or undocumented
program changes (e.g. by comparison of the working program to the approved code.
-
7/29/2019 IT Controls 1v
26/32
Evaluate the separation of the test environment from production systems and data,
and ensure changes are thoroughly tested and approved prior to moving the changed
code into the production environment.
Review the application program change turnover procedures performed by the
independent group responsible for implementing the application changes into the
production environment.
Assess the emergency change procedures and whether emergency changes aremigrated through segregated libraries to enable management review and approval of
the change.
Select a sample of emergency program changes and assess compliance with
established procedures.
Assess the procedures for making routine rate changes (e.g., tax rates) to application
programs or tables.
Assess whether programming standards include naming conventions and coding
conventions.
Identify the software package (i.e., CA-Librarian) on the processing system to provide
security over production libraries for source programs, JCL, and other files.
Identify the functions / individuals responsible for hardware and system software
controls built into IT equipment by the manufacturer which may include:
a. Self-diagnosis
b. Regular maintenance
c. Echo check
d. Duplicate process check
e. Parity check
Assess the processes to identify and address errors that may occur in operating
systems and system software.a. Logic occurs before the operational stage
b. Coding detected during the programs testing (debugging) stage
c. Modification can occur at any time, even while processing. If not handled properly,
program modifications can produce unexpected operations and invalid output and
data
o Make inquiry of any unauthorized program modifications (which is the most
ominous type of software error)
o Assess completeness of records kept of all modifications and records for any post
modification debugging
Determine through inquiry the process for scheduling production batch processing.
Ensure user authorization of all changes to the production schedule. Select a sample of
changes and review them for compliance to the scheduling procedures.
If an automatic scheduler is not used, determine how production processing is
controlled.
Determine how the computer operator ensures production processing properly
completes.
-
7/29/2019 IT Controls 1v
27/32
Identify the various output media in use and assess the processes for distribution of
production-processing output to users. Ensure sensitive data is properly controlled.
Backup/Recovery
Review the Business Continuity Plan and Disaster Recovery Plan and ensure the
systems and communications backup and recovery procedures are appropriately
integrated in the plan.
Ensure system and incremental backups are performed on a regular basis. Assess the
frequency of backups and determine through inquiry and review of documentation
whether all files and programs are backed up properly. Ensure on-line transaction
journals are backed up to provide recovery of transactions that update the databases.
Review the description of backup and archiving system(s)
Assess the procedures to ensure backup copies of system, programs, and data files are
rotated to a secure offsite storage location on a scheduled basis. Assess the
procedures for verifying the inventory of the backup data.
Identify the media and processes involved in backup and recovery and assess their
effectiveness. If a tape management system (TMS) is part of the processing system
and provides an inventory of tapes by location, observe that tapes maintained offsite
are properly segregated on the TMS.
Review the results of system recovery testing to ensure a successful test was
performed and documented within the prior twelve months.
Business Continuity Planning and Disaster Recovery
Review the business continuity and resumption plans. Through discussions with
management and review of the business continuity and resumption plans, determine
whether the plans are current and include the necessary key components.
Review the documentation of the results of the most recent test of the business
resumption plan determine the dates of prior plans. Document the frequency and
success of the tests. If the plan has not been tested, inquire as to the plans for testing.
Assess IT managements plans for and roles in assuring business continuity and the
recovery of IT resources. Determine if the plan includes recovery of IT at a vendor site
and review the service agreement.
Evaluate the disaster recovery plan for the IT division. Ensure application recovery is
based on risk (applications critical to the organization are recovered first).
Evaluate the recovery service vendor agreement(s) to ensure they provide for
adequate infrastructure to recover the organizations IT resources and operations.
Ensure telecommunications are included and covered during testing.
Review the results of recovery testing of IT operations at the vendor site(s). Ensure
tests were successfully completed and results documented.
Telecommunications
Review technical configurations, charts, schematics, network diagrams (internal and
external network infrastructure).
-
7/29/2019 IT Controls 1v
28/32
Review documentation regarding approved remote communication channels,
mechanisms, protocols, and standards (i.e., extranet, VPN, SSH, FTP, Wi-Fi, etc.)
Review procedures for setting up, siting, and managing networked work stations and
portable and mobile devices. Assess the security of procedures for monitoring, adding,
removing, and configuring all devices on the network.
Review description of messaging architecture, authentication, encryption methods,
auditing/logging.
Determine whether telecommunications provide a reliable and secure environment.
Consider load balancing devices, redundant systems, and alternate procedures for the
continuation of telecommunication operations.
Determine if EDI (Electronic Data Interchange) is utilized. If so, evaluate security and
authenticity of interchange.
-
7/29/2019 IT Controls 1v
29/32
Auditor's Comment
-
7/29/2019 IT Controls 1v
30/32
-
7/29/2019 IT Controls 1v
31/32
-
7/29/2019 IT Controls 1v
32/32