07 - Cisa It Audit
07 - Cisa It Audit
07 - Cisa It Audit
Acquisition of Hardware
Problem Logs
Job Accounting System Reports
HARDWARE ACQUISITION PLAN
Is the plan aligned with business requirements?
Is the plan compared regularly to business plans to ensure
continued synchronization with business requirements?
Is the plan synchronized with IS plans?
Have criteria for the acquisition of hardware been
developed?
Is the environment adequate to accommodate the currently
installed hardware and new hardware to be added under
the approval hardware acquisition plan?
Are the hardware specifications, installation requirements
and the likely lead time associated with planned
acquisitions adequately documented?
ACQUISITION OF HARDWARE
Is the acquisition in line with the hardware acquisition plan?
Have the IS management staff issued written policy
statements regarding the acquisition and use of hardware
and have these statements been communicated to the
users?
Have procedures and forms been established to facilitate the
acquisition approval process?
Are requests accompanied by a cost-benefit analysis?
Are purchases routed through the purchasing department to
streamline the process, avoid duplications take advantage of
quantity and quality benefits such as volume discounts?
CAPACITY MANAGEMENT AND MONITORING
Passwords
• Network user access
• Are users assigned unique passwords?
• Are users required to change the passwords on a
periodic basis?
• Are passwords encrypted and not displayed on the
computer screen when entered?
4.25 - Network infrastructure and implementation
Network User Access
• Is network user access based on written authorization and
given on a need-to-know/need-to-do basis and based on the
individual's responsibilities?
• Are network workstations automatically disabled after a short
period of inactivity?
• Is remote access to the system supervisor prohibited?
• Are all logon attempts to the supervisor account captured in
the computer system?
• Are activities by supervisor or administrative accounts subject
to independent review?
• Is up-to-date information regarding all communication lines
connected to the outside maintained by the network ·
supervisor?
4.25 - Network infrastructure and implementation
Network access change requests
• Are network access change requests authorized by
the appropriate manager? Are standard forms used?
• Are requests for additions, changes and deletions of
network logical access documented?
4.25 - Network infrastructure and implementation
Test plans
• Are appropriate implementation, conversion and
acceptance test plans developed for the
organization's distributed data network, hardware
and communication links?
4.25 - Network infrastructure and implementation
Security reports
• Is only authorized access occurring?
• Are security reports reviewed adequately and in a
timely manner?
• In the case of unauthorized users, are follow-up
procedures adequate and timely?
4.25 - Network infrastructure and implementation
Security mechanisms
• Have all sensitive files/datasets in the network been identified
and have the requirements for their security been determined?
• Are all changes to the operating system software used by the
network and made by IS management (or at user Sites)
controlled? Can these changes be detected promptly by the
network administrator or those responsible for the network?
• Do individuals have access only to authorized applications,
transaction processors and data sets?
• Are system commands affecting more than one network site
restricted to one terminal and to an authorized individual with
an overall network control responsibility and security clearance?
• Is encryption being used on the network to encode sensitive
data?
4.25 - Network infrastructure and implementation
Security mechanisms
• Were procedures established to ensure effective controls over the
hardware and software used by the departments served by the
distributed processing network?
• Are security policies and procedures appropriate to the environment:
o Highly distributed? ------Is security under the control of individual user
management?
o Distributed? ------Is security under the direction of user management,
but adheres to the guidelines established by IS management?
o Mixed? ------Is security under the direction of individual user
management, but the overall responsibility remains with IS
management?
o Centralized?-----Is security under the direction of IS management, with IS
management staff maintaining a close relationship with user
management?
o Highly centralized?-----Is security under the complete control of IS
management
4.25 - Network infrastructure and implementation
Network operation procedures
• Do procedures exist to ensure that data compatibility is
applied properly to all the network's datasets and that the
requirements for their security have been determined? . .
• Have adequate restart and recovery mechanisms been
installed at every user location served by the distributed
processing network?
• Has the IS distribute!! network been designed to ensure
that failure of service at anyone site will have a minimal
effect on the continued service to other sites served by the
network?
• Are there provisions to ensure consistency with the laws
and regulations transmission of data?
4.25 - Network infrastructure and implementation
Interview the person responsible for
maintaining network
• Is the person aware of the risks associated with physical
and logical access that must be minimized?
• Is the person aware of the need to actively monitor logons
and to account for employee changes?
• Is the person knowledgeable in how to maintain and
monitor access?
Interview users
• Are users aware of management policies regarding network
policies and confidentialities?
4.26 – IS Operations
Observation of IS personnel
• Have controls been put in place to ensure efficiency of
operations and adherence to established standards
and policies?
• Is adequate supervision present?
• Have controls been put in place regarding IS
management review, data integrity and security?
4.26 – IS Operations
Operator access
• Is access to files and documentation libraries restricted
to operators?
• Are responsibilities for the operation of computer and
related peripheral equipment limited?
• Is access to correcting program and data problems
restricted?
• Should access to utilities that allow system fixes to
software and/or data be restricted?
• Is access to production source code and data libraries
(including run procedures) limited?
4.26 – IS Operations
Operator manuals
• Are instructions adequate to address:
o The operation of the computer and its peripheral
equipment?
o Startup and shutdown procedures?
o Actions to be taken in the event of
machine/program failure?
o Records to be retained?
o Routine job duties and restricted activities?
4.26 – IS Operations
Access to the library
• Is the librarian prevented from accessing computer
hardware?
• Does the librarian have access only to the tape
management system?
• Is access to library facilities provided to authorized
staff only?
• Is removal of files restricted by production scheduling
software?
• Does the librarian handle the receipt and return of
foreign media entering the library?
• Are logs of the sign-in and sign-out of data files and
media maintained?
4.26 – IS Operations
Contents and location of offline storage
• Are offline file storage media containing production system
programs and data clearly marked with their contents?
• Are offline library facilities located away from the computer
room?
• Are policies and procedures adequate for:
o Administering the offline library?
o Checking out/in media, including requirements for signature
authorizations?
o Identifying labeling, delivering and retrieving offsite backup
files?
o inventorying the system for onsite and offsite media,
including the specific storage locations of each tape?
o Secure disposal/destruction of media, including
requirements for signature authorizations?
4.26 – IS Operations
Contents and location of offline storage
• Are offline file storage media containing production system
programs and data clearly marked with their contents?
• Are offline library facilities located away from the computer
room?
• Are policies and procedures adequate for:
o Administering the offline library?
o Checking out/in media, including requirements for signature
authorizations?
o Identifying labeling, delivering and retrieving offsite backup
files?
o inventorying the system for onsite and offsite media,
including the specific storage locations of each tape?
o Secure disposal/destruction of media, including
requirements for signature authorizations?
4.26 – IS Operations
File handling procedures
• Have procedures been established to control the
receipt and release of files and secondary storage
media to/from other locations?
• Are internal tape labels used to help ensure that the
correct media are mounted for processing?
• Are these procedures adequate and in accordance
with management's intent and authorization?
• Are these procedures being followed?
4.26 – IS Operations
Data entry
• Are input documents authorized and do the
documents contain appropriate signatures?
• Are batch totals reconciled?
• Does segregation of duties exist between the person
who keys the data and the person who reviews the
keyed data for accuracy and errors?
• Are control reports being produced? Are the reports
accurate? Are the reports maintained and reviewed?
4.26 – IS Operations
Lights-out operations ·
Also called a lights out datacenter, a room that contains a number of
servers under lock and key and kept in the dark that under normal
operation is not entered by human administrators, and all operations
in the room are automated. The computers in a lights out server
room typically are controlled by the use of KVM switches to help
ensure the security of the locked room.
4.26 – IS Operations
Lights-out operations ·
• Remote access to the master console is often granted to standby
operators for contingency purposes such as automated software
failure. Is access to security sufficient to guard against
unauthorized use?
• Do contingency plans allow for the proper identification of a
disaster in the unattended facility?
• Are the automated operation software and manual contingency
procedures documented and tested adequately at the recovery
site?
• Are proper program change controls and access controls present?
• Are tests of the software performed on a periodic basis, especially
after changes or updates are applied?
• Do assurances exist that errors are not hidden by the software and
that all errors result in operator notification?
4.27 – Scheduling
• Regularly scheduled applications
• Input deadlines
• Data preparation time
• Estimated processing time
• Output deadlines
• Procedures for collecting, reporting and
analyzing key performance indicators
• Are the items included in SLAs?
• Are the items functioning according to the SLAs?
4.27 – Scheduling
Job schedule
• Have critical applications been identified and the highest
priority assigned to them?
• Have processing priorities been established for other
applications and are the assigned priorities justified?
• Is scheduling of rush/rerun jobs consistent with their
assigned priority?
• Do scheduling procedures facilitate optimal use of
computer resources while meeting service requirements?
• Do operators record jobs that are to be processed and the
required data files?
• Do operators schedule jobs for processing on a
predetermined basis and perform them using either
automated scheduling software or a manual schedule?
4.27 – Scheduling
Daily job schedule
• Is number of personnel assigned to each shift
adequate to support the workload?
• Does the daily job schedule serve as an audit trail?
Does the schedule provide each shift of computer
operators with the work to be done, the sequence in
which programs are to be run and indication when
lower-priority work can be done?
• At the end of a shift, does each operator pass to the
work scheduler or the next shift of operators a
statement of the work completed and the reasons any
scheduled work was not finished?
4.27 – Scheduling
Console log
• Were jobs run and completed according to the
schedule?
• If not, are the reasons valid?
Exception processing log
• Do operators obtain written or electronic approval
from owners when scheduling request-only jobs?
• Do operators record all exception processing requests?
• Do operators review the exception processing request'
log to determine the appropriateness of procedures
performed?
4.27 – Scheduling
Re-executed jobs
• Are, all re-execution of jobs properly authorized and
logged for IS management review?
• Are procedures established for rerunning jobs to
ensure that the correct input files are being used and
subsequent jobs in the sequence also are rerun, if
appropriate?
Personnel
• Are personnel who are capable of assigning, changing
job schedules or job priorities authorized to do
4.28 – Problem Management Reporting
Interviews with IS operations personnel
• Have documented procedures been developed to guide IS
operations personnel in logging, analyzing, resolving and
escalating problems In a timely manner, in accordance with
managements’ intent and authorization?
• Procedures used by the IS department ;
• Operations documentation
• Are procedures for recording, evaluating, and resolving or
escalating any operating or processing' problems adequate?
• Are procedures used by the IS Department to collect statistics
regarding online processing performance adequate and is the
analysis accurate and complete?
• Are all problems identified by IS operations being recorded for
verification and resolution?
4.28 – Problem Management Reporting
• Performance records·
• Outstanding error log entries
• Help desk call logs
• Do problems exist during processing?
• Are the reasons for delays in application program
processing valid?
• Are significant and recurring problems identified, and
actions taken to prevent their recurrence?
• Were processing problems resolved in a timely manner
and was the resolution complete and reasonable?
• Are there any reoccurring problems that are not being
reported to IS management?