OPERATIONAL CONTROL ISSUES Organizational Policy and Organizational Controls • Every computer installation should have specific standards and procedures manuals covering operations. • An important element of any set of standards or manuals should be the requirement that operators maintain logs on which any unusual events or failures are recorded, according to time an in detail. Data Files and Program Controls • Data library • Procedures to access program, data files and documentation • Authorized person • Control is enhanced by the practice of maintaining an inventory of file media within the data library. Backup/Restart • Control planning must be based on the assumption that any computer system is subject to several different types of failures. • Procedures must exist and must be tested for recovery from failures or losses of equipment , programs or data files. • Backup and restart capabilities for both programs and data files require specific retention cycles and the storage of backup copies or programs and files at remote, protected locations. • Copies of system documentation, standards, and procedure manuals also should be protected through remote off-site storage. Physical Security and Access Control • To prevent or deter theft, damage, and unauthorized access, and to control movement of network-related equipment and attached device, also prevent unauthorized access to data and software. Environmental Controls General Control COBIT Control Organizational policy and organizational controls Manage third-party services Manage operations Data files and program controls Manage performance and capacity Ensure system security Identify and allocate costs Manage Data Backup/restart and disaster recovery controls Ensure continuous service Environmental controls Manage the configuration Manage the facility Physical security access controls Ensure systems security Problem Management Auditing • Is a process that is used to report, log, correct, track, and resolve problems within the hardware, software, network, telecommunications, and computing environment of an organization. • Problem management provides the framework to open, transfer, escalate, close, and report management. • Effective problem management procedures are vital to the long term control over the performance of a data processing organization. Example of Audit Steps • Administration of IT Activities – Review the organization chart and evaluate the established procedures for adequacy in defining responsibilities in the security administration area. – Determine who is responsible for control and administration of security. Verify that adequate security exists in the security administration function. – Determine whether adequate direction is maintained for each IT functional area within a policy and procedures manual. Evaluate whether the manual is kept up to date by IT management. – Determine if written personnel policies for the IT administration personnel exist, and if these policies stress adequate qualification and level of training and development – Determine if long range (two to five) years’ system planning is maintained by IT management and is adequately considered in the fiscal budgeting process. – Assess the adequacy of inventory procurement and control pertaining to the administration of the LAN environment. Review available inventory documentation to determine if it is adequately maintained and complete in description and location. Compare the serial numbers on the computer software with inventory records to determine if illegal copies of system and application software are being supported. Example of Audit Steps • Operating System Software and Data – Determine through interviews with data center personnel whether any significant modifications or upgrades were implemented during this audit year. Review authorization documentation to ensure that adequate IT management approval is obtained prior to the implementation. – Determine through interviews with the IT personnel the procedures implemented to ensure that adequate IT management approval is obtained prior to the implementation. – Evaluate access restrictions over critical system operation areas.