OPERATIONAL CONTROL ISSUES

advertisement
OPERATIONAL CONTROL
ISSUES
Organizational Policy and
Organizational Controls
• Every computer installation should have
specific standards and procedures
manuals covering operations.
• An important element of any set of
standards or manuals should be the
requirement that operators maintain logs
on which any unusual events or failures
are recorded, according to time an in
detail.
Data Files and Program Controls
• Data library
• Procedures to access program, data files
and documentation
• Authorized person
• Control is enhanced by the practice of
maintaining an inventory of file media
within the data library.
Backup/Restart
• Control planning must be based on the assumption that
any computer system is subject to several different types
of failures.
• Procedures must exist and must be tested for recovery
from failures or losses of equipment , programs or data
files.
• Backup and restart capabilities for both programs and
data files require specific retention cycles and the
storage of backup copies or programs and files at
remote, protected locations.
• Copies of system documentation, standards, and
procedure manuals also should be protected through
remote off-site storage.
Physical Security and Access Control
• To prevent or deter theft, damage, and
unauthorized access, and to control
movement of network-related equipment
and attached device, also prevent
unauthorized access to data and software.
Environmental Controls
General Control
COBIT Control
Organizational policy and organizational controls
Manage third-party services
Manage operations
Data files and program controls
Manage performance and capacity
Ensure system security
Identify and allocate costs
Manage Data
Backup/restart and disaster recovery controls
Ensure continuous service
Environmental controls
Manage the configuration
Manage the facility
Physical security access controls
Ensure systems security
Problem Management Auditing
• Is a process that is used to report, log, correct,
track, and resolve problems within the hardware,
software, network, telecommunications, and
computing environment of an organization.
• Problem management provides the framework
to open, transfer, escalate, close, and report
management.
• Effective problem management procedures are
vital to the long term control over the
performance of a data processing organization.
Example of Audit Steps
• Administration of IT Activities
– Review the organization chart and evaluate the established procedures
for adequacy in defining responsibilities in the security administration
area.
– Determine who is responsible for control and administration of security.
Verify that adequate security exists in the security administration
function.
– Determine whether adequate direction is maintained for each IT
functional area within a policy and procedures manual. Evaluate
whether the manual is kept up to date by IT management.
– Determine if written personnel policies for the IT administration
personnel exist, and if these policies stress adequate qualification and
level of training and development
– Determine if long range (two to five) years’ system planning is
maintained by IT management and is adequately considered in the
fiscal budgeting process.
– Assess the adequacy of inventory procurement and control pertaining to
the administration of the LAN environment. Review available inventory
documentation to determine if it is adequately maintained and complete
in description and location. Compare the serial numbers on the
computer software with inventory records to determine if illegal copies of
system and application software are being supported.
Example of Audit Steps
• Operating System Software and Data
– Determine through interviews with data center personnel
whether any significant modifications or upgrades were
implemented during this audit year. Review authorization
documentation to ensure that adequate IT management approval
is obtained prior to the implementation.
– Determine through interviews with the IT personnel the
procedures implemented to ensure that adequate IT
management approval is obtained prior to the implementation.
– Evaluate access restrictions over critical system operation areas.
Download