Upload File

it questionere

15

Click here to load reader

Upload: tauqeer25

Post on 04-Oct-2015

215 views

Category:

Documents


0 download

Report

TRANSCRIPT

1

No.DescriptionYesNoN/A

AACCESS TO DATA FILES

-Audit ObjectiveIs access to data files restricted to authorized users and programs?

-Access to Data

1Is there any formal written data security policy? Consider whether the policy addresses data ownership, confidentiality of information, and use of password.

2Is the security policy communicated to individuals in the organization?

3Is physical access to off-line data files controlled in:

Computer room?

On-site library?

Off-site library?

4Does the company employ a full-time librarian who is independent of the operators and programmers?

5Are libraries locked during the absence of the librarian?

6Are requests for on-line access to off line files approved?

7Are requests checked with the actual files issued and initialed by the librarian?

8Are sensitive applications e.g. payroll, maintained on machines in physically restricted areas?

9Are encryption techniques used to protect against unauthorized disclosure or undetected modification of sensitive data?

10Are returns followed up and non returns investigated and adequately documented?

BCOMPUTER PROCESSING

1Does a scheduled system exist for the execution of programs?

2Are non-scheduled jobs approved prior to being run?

3Is the use of utility programs controlled (in particular those that can change executable code or data)?

4Are program tests restricted to copies of live files?

5Is access to computer room restricted to only authorized personnel?

6Are internal and external labels used on files?

7Are overrides of system checks by operators controlled?

8Are exception reports for such overrides pointed and reviewed by appropriate personnel?

9Are sufficient operating instructions exist covering procedures to be followed at operation?

10If so, are these independently reviewed?

11Is integrity checking programs run periodically for checking the accuracy and correctness of linkages between records?

CACCESS CONTROLS

1Is there any proper password syntax in-force ie minimum 5 and maximum 8 characters and include alphanumeric characters?

2Are there satisfactory procedures for reissuing passwords to users who have forgotten theirs?

3Are procedures in place to ensure the compliance of removal of terminated employee passwords?

4Are system access compatibilities properly changed with regard to personnel status change?

5Are individual job responsibilities considered when granting users access privileges?

6Is each user allocated a unique password and user account?

7Are there procedures in place to ensure forced change of password after every 30 days?

8Is application level security violations logged?

9Do standards and procedures exist for follow up of security violations?

10Do formal and documented procedures exist for use and monitoring of dial up access facility?

11Is use made of passwords to restrict access to specific files?

12Do terminals automatically log off after a set period of time?

13Is there a limit of the number of invalid passwords before the terminal closes down?

14Are there any administrative regulations limiting physical access to terminals?

15Are invalid password attempts reported to user department managers?

16Are restrictions placed on which applications terminals can access?

17Are keys, locks, cards or other physical devises used to restrict access to only authorized user?

DVIRUSES

1Is there any formal written anti-virus policy?

2Is the policy effectively communicated to individuals in the organization?

3Is there a list of approved software and suppliers?

4Is only authorized software installed on microcomputers?

5Is there a master library of such software?

6Are directories periodically reviewed for suspicious files?

7Are files on the system regularly checked for size changes?

8Is anti-virus software installed on all microcomputers/laptops?

9Is anti-virus software regularly updated for new virus definitions?

10Are suspicious files quarantined and deleted from the terminals hard drive and network drive on regular basis?

11Are diskettes formatted before re-use?

12Have procedures been developed to restrict or oversee the transfer of data between machines?

13Is staff prohibited from sharing machines (laptops/desktops)?

14Is software reloaded from the master diskettes after machine maintenance?

15Has all staff been advised of the virus prevention procedures?

16Are downloads from internet controlled by locking the hard-drive and routing it through network drive to prevent the virus (if any) from spreading?

EINTERNET

1Is there any proper policy regarding the use of internet by the employees?

2Does the policy identify the specific assets that the firewall is intended to protect and the objectives of that protection?

3Does the policy support the legitimate use and flow of data and information?

4Is information passing through firewall is properly monitored?

5Determine whether management approval of the policy has been sought and granted and the date of the most recent review of the policy by the management?

6Is the policy properly communicated to the users and awareness is maintained?

7Have the company employed a Firewall Administrator?

8Is firewall configured as per security policy?

9Is URL screening being performed by Firewall?

10Is anti-virus inspection enabled?

11Are packets screened for the presence of prohibited words? If so, determine how the list of words is administered and maintained.

12Are access logs regularly reviewed and any action is taken on questionable entries?

FCONTINUITY OF OPERATIONS

Physical Protection

L.IFire Hazard

1Check the safety against fire in the following ways:

Building materials fire resistant?

Wall and floor coverings non-combustible?

Separation from hazardous areas (e.g. fire doors)?

Separation from combustible materials (e.g. paper, fuel)?

Smoking restriction?

Fire resistant safes (for tapes, disks and documentation)?

2Check the appropriate arrangements of fire detection devices:

Smoke/ Heat-rise detectors?

Detectors located on ceiling and under floor?

Detectors located in all key EDP areas?

Linked to fire alarm system?

3Check the appropriate arrangements for fire fighting:

Halon gas system (for key EDP areas)

Automatic sprinkler system

Portable CO2, extinguishers (electrical fires)

Ease of access for fire services

4Check appropriate arrangements in case of fire emergency:

Fire instructions clearly posted

Fire alarm buttons clearly visible

Emergency power-off procedures posted

Evacuation plan, with assignment of roles and responsibilities

5Check if there is training to avoid fire emergecny:

Regular fire drill and training

Regular inspection/testing of all computing equipment

L.IIAIR CONDITIONING

Monitoring of temperature and humidity in EDP area

Heat, fire and access protection of sensitive air-conditioning parts (eg. cooling tower)

Air intakes located to avoid undesirable pollution

Back-up air conditioning equipment

L.IIIPower Supply

Reliable local power supply

Separate computer power supply

Line voltage monitored

Power supply regulated (For voltage fluctuation)

Uninterrupted power supply (eg. Battery system) available

Alternative power supply (eg. Generator) Emergency lighting system

L.IVCommunications Network

Physical protection of communications lines modems, multiplexors and processors

Location of communication equipment separate from main EDP equipment

Back-up and dial-up lines for direct lines

L.VMachine (Servers) Room Layout

Printers, plotters located in separate area

Printout preparation (eg. bursting) located in separate area

Tape/Disk library in separate area Machine room kept tidy

Practical location of security devices

Emergency power off switches

Alarms

Extinguishers

Environment monitoring equipment

L.VIAccess Control

Entrance Routes (EDP areas):

No unnecessary entrances to the computer room

Non-essential doors always shut and locked to the outside (eg, Fire exits)

Air vent and daylight access location

Protected and controlled use of all open doors

GACCESS CONTROL

1Access restricted to selected employees

2Prior approval required for all other employees

3Entrance door controlled by:

Screening by a guard

Locks/combinations

Electronic badge/key

Other - biological identification devices

4Positive identification of all employees (eg. identification card)

5Verification of all items taken into and out of the computer room

6Access controlled on 24 hours basis including weekends (eg, automatic control mechanism)

7Locks, combinations, badge codes changed periodically

M.IVisitor Control

1Positive identification always required

2Badges issued, controlled and returned on departure

3All visits logged in and out

4Visitors accompanied and observed at all times

M.IITerminal Security

1All terminals located in secure areas

2Alarm system used to control microcomputers from being disconnected or moved from its location.

3Sensitive applications eg payroll, maintained on machines in physically restricted area.

4Terminal keys/locks used

5Passwords changed regularly

6Identification labels been placed on each terminal.

M.IIIGeneral Security

1Waste regularly removed from EDP area and sensitive data shredded.

2Window and door alarm system.

3Closed circuit television monitoring ie CCTV cameras.

HPERSONNEL POLICIES MIS STAFF

1New employees recruited according to job description and job specification.

2Employee identity cards issued.

3Performance evaluation and regular counseling.

4Continuing education program.

5Training in security, privacy and recovery procedures.

6All functions covered by cross training.

7Critical jobs rotated periodically (e.g. operators, program maintenance).

8Clean desk policy enforced.

9Fidelity insurance for key personnel.

10Contract service personnel vetted (e.g. cleaners)

IINSURANCE

1Does adequate insurance exist to cover:

Equipment?

Software and documentation?

Storage media?

Replacement/ re-creation cost?

Loss of data/assets (eg. Accounts receivable)?

Business loss or interruption (business critical systems)?

2Is adequate consideration given to cover additional cost of working and consequential losses?

JBACK-UP PROCEDURES

P.IEquipment (computer and ancillary)

1Regular preventive maintenance

2Reliable manufacturer service Arrangements for back-up installation Formal written agreement

3Compatibility regularly checked

4Sufficient computer time available at back-up

5Testing at back-up regularly performed

P.IIOutside Suppliers (non continuance/ disaster)

-(eg, suppliers of equipment, computer time, software)

1Alternative sources of supply/ maintenance/ service available

2Adequate and secure documentation/ back-up of data and programs

3Are backup copies of system documentation kept in a secure location?

P.IIIOff-site Storage:

1Secure separate location

2Adequate physical protection. Log maintained of off-site materials

3Off- site Inventory regularly reviewed

4File transportation under adequate physical protection

5Back-up files periodically tested

P.IVData Files

1File criticality and retention procedure regularly reviewed

P.VTape

1At least three generations of important tape files retained

2Copies of all updating transactions for above retained

3At least one generation and all necessary updating transactions in off-site storage

P.VIDisc

1Checkpoint/restart procedures provided for

2Audit trail (log file) of transactions updating on-line files (data base) maintained

3Regular tape dumps of all disc files stored off-site

4Audit trail (log file) regularly dumped and stored off-site

P.VIISoftware

1Copies of following maintained at off-site storage: Production application programs

Major programs under development

System and program documentation

Operating procedures

Operation and system software

All copies regularly updated

Back-up copies regularly tested

P.VIIIOperations

1Back-up procedure manual

2Priority assignments for all applications

3Procedures for restoring data files and software Procedures for back-up installation

KDISASTER RECOVERY PLANS

1Is a comprehensive contingency plan developed, documented and periodically tested to ensure continuity in data processing services?

2Does the contingency plan provide for recovery and extended processing of critical applications in the event of catastrophic disaster?

3Has any Business Impact Analysis carried out by the company?

4Are all recovery plans approved and tested to ensure their adequacy in the event of disaster?

5Communicated to all management and personnel concerned

6Critical processing priorities identified (eg. Significant accounting applications)

7Are disaster recovery teams established to support disaster recovery plan?

8Are responsibilities of individuals within disaster recovery team defined and time allocated for completion of their task?

9Operations procedures for use of equipment and software back-up

10Has the company developed and implementedadequate plan maintenance procedures?

11Are priorities set for the development of critical systems?

12Does a hardware maintenance contract exist with a reputable supplier?

13Does the recovery plan ensure, in the event of failure:

No loss of data received but not processed

No reprocessing of data already processed

Files not corrupted by partially completed processing

14Are recovery plans regularly tested?

APPLICATION CONTROLS - INPUT

-Audit ObjectiveDo controls provide reasonable assurance that for each transaction type, input is authorized, complete and accurate, and that errors are promptly corrected?

1Are all transactions properly authorized before being processed by computers?

2Are all batches of transactions authorized?

3Do controls ensure unauthorized batches or transactions are prevented from being accepted ie they are detected?

4Is significant standing data input verified against the master file?

5Is maximum use made of edit checking e.g. check digits, range and feasibility checks, limit tests, etc.?

6Are there procedures to ensure all vouchers have been processed e.g. batch totals, document counts, sequence reports, etc.?

7Are there procedures established to ensure that transactions or batches are not lost, duplicated or improperly changed?

8Are all errors reported for checking and correction?

9Are errors returned to the user department for correction?

10Do procedures ensure these are resubmitted for processing?

11Is an error log maintained and reviewed to identify recurring errors?

12Are persons responsible for data preparation and data entry independent of the output checking and balancing process?

13Are persons responsible for data entry prevented from amending master file data?

1


Il. it İT Talat it. Ela it. Lale it. Ata it. Ali it

KEEP It, FILE It, Share It, DELETE It, SHRED It or Archive It

BELIEVE IT. ACHIEVE IT. BELIEVE IT. ACHIEVE IT

MOW IT BLOW IT TRENCH IT HAUL IT DRILL IT TILL IT DO IT. · MOW IT BLOW IT TRENCH IT HAUL IT DRILL IT TILL IT DO IT. DO IT. • Mow tall fields • Mow lawns • Till your garden

DREAM IT. LEARN IT. DO IT. What's your it?

IF YOU . . . PREP IT PLACE IT, FINISH IT PAVE IT, CURE IT ... · if you . . . prep it place it, finish it pave it, cure it dry it, sa it drill it, rea it haul it. . . e have it manufacturer

WORK IT, WRAP IT, FIX IT, FOLD IT

Sense it! Connect it! Bus it! Solve it! - Turck

PRINCIPIO - sanigroothandel.nl · PRINCIPIO "live it" "live it" "live it" "live it" "live it" "live it" "live it" "live it" "live it" Bathroom Furniture Additional cabinets PI ZS

Dream It. Dream it. Build it. Set it free. Drupal It. · PDF fileDream It.Dream it. Build it. Set it free. Drupal It. ... Drupal Becoming the Dominant Platform ... • Open, standards

PowerPoint Presentation€¦ · MAKE IT AWESOME. MAKE IT UNFORGETTABLE. MAKE IT PROUD. MAKE IT CREATIVE. MAKE IT BETTER. MAKE IT LAST. MAKE IT INSPIRING. MAKE IT BRILLIANT. MAKE IT

Let It Snow! - MK Virtual Office · Let It Snow! Let It Snow! Let It Snow! Let It Snow! Let It Snow! Let It Snow! Let It Snow! Let It Snow! Let It Snow! Let It Snow! Let It Snow!

Challenge it, report it, stop it

Say it, learn it, own it!

Trace IT color IT CuT IT KindergartenMom.com Parallelogram...Trace IT color IT CuT IT KindergartenMom.com Parallelogram

Imagine It , feel it,Receive It

Find It, Rate It, Use It

s71200 Easy Book It-IT It-IT

Watch It Do It Teach It

Bundle it. Blend it. Innovate it

s7400 Module Data It It-IT

KEEP It, FILE It, Share It, DELETE It, SHRED It or Archive It€¦ · KEEP It, FILE It, Share It, DELETE It, SHRED It or Archive It What to do with UNCW Records and When to do it

bestchoice.net.nz e-Learningfiles.meetup.com/163896/BestchoiceMeetup2008.pdf · It Sucks It Sucks It Sucks It Sucks It Sucks It Sucks It Sucks It Sucks It Sucks It Sucks It Sucks

Think it. Mean it. Say it

See it Report it Stop it Welcome - Microsoftbtckstorage.blob.core.windows.net/site6661/Presentations/... · 2012-06-15 · See it Report it Stop it Victoria See it Report it Stop

s7300 Module Data Manual It-IT It-IT

Be it. Do it. Live it. Work it

· PDF fileCMDB . IT . BTIM IT BTIM (Betasoft Integrated Management , IT ) , BTIM IT i£ìtBfå. , . . IT , IT . BTIM IT BTIM (Betasoft Integrated Management , IT ) ,

Design it Build it Drive it

Eat it drink it smoke it do it

Scratch It Sketch It Create It

Think It...Drink It...Milk It!

If you WEAR IT, EAT IT, WATCH IT, PLAY IT, OR BUY IT

MAKE IT, TAKE IT, FRAME IT

Pentatonix: Daft Punk - blog.andrewsbecker.netblog.andrewsbecker.net/.../Pentatonix_-_Daft_Punk.pdf · it it it it zip zip zip zip un un un un zip zip zip zip it it it it it it it