Professional Documents
Culture Documents
Each IT topic is addressed by the inclusion of a number of essential (or key) Control and Risk
Issues. Additionally, each issue is complimented by illustrative controls and measures.
Please note that the scenario depicted by the issue and control data is not intended to be either
definitive or comprehensive, but rather to provide some general guidance as to the nature of
controls that could be found in practice.
Seq. Risk / Control Issues Example Control(s) / Measure(s)
objectives.
1.6 How can management be assured that - Manpower and skill planning exercise
sufficient levels of IT resource undertaken for the IT division.
(including suitably skilled staff) are - Specific or specialist recruitment requirements
provided to support the current and are identified and addressed in tandem with the
future needs of the business? Human Resources Dept.
1.7 What steps does management take to - Existing staff are continuously monitored for
ensure that the skills of the IT staff their skills against the requirements for the
remain relevant (and what specific current and planned environments. Training and
measures are in place to ensure the development needs are identified and addressed.
maintenance of a minimum skill - Each member of staff has a job specification
level)? which incorporates their specific minimum skill
requirements.
1.8 Have management provided an - Authorised and documented standards and
adequate framework of operating policies have been implemented for the following
standards and policies as a means of areas:
ensuring secure and reliable IT related - Operations Dept.
activities? - System Development Methodology
- Data Control procedures
- Programming Standards including testing
requirements
- Safety standards
- Access Control and logical security policy
- Data back-up and media handling procedures
- Disaster and Contingency Plan
- Data Protection Policy
1.9 How does management prevent - Key duties are strictly segregated as a means of
potential staff fraud or malpractice in reducing the opportunity for malpractice without
the operation of key systems? a high degree of collusion. (i.e. operations and
programming functions are separated in order to
prevent unauthorised program amendments being
applied to the live environment)
I T Sites (Issues 1.10 to 1.16)
1.10 How does management ensure that all - Main building entrance manned by security
I T sites are secure and adequately personnel who check staff and visitors.
protected from unauthorised access? - Access beyond reception is controlled by key-
card system. The key-cards are programmed in
relation to activity zones and allocated on a
"needs" basis.
- Intruder alarms are installed and regularly
tested and serviced.
- Access to the central computer room is
restricted to key personnel only via programmed
key-card.
Seq. Risk / Control Issues Example Control(s) / Measure(s)
1.11 What specific measures control the See responses to 1.10 above
access of visitors, delivery staff, etc. - All visitors are registered upon arrival and
(and what prevents unauthorised escorted whilst in the building.
access to the main computer room)?
1.12 Have adequate physical security and - Intruder alarms are installed and regularly
fire prevention systems been installed, tested and serviced.
and how does management ensure - Main computer room covered by CCTV system
that they remain operational and monitored by security staff.
effective? - Premises are patrolled after normal working
hours.
- Fire detection and alarm system installed and
linked to fire station - regularly tested and
serviced.
- Main computer room is protected by an ozone
friendly gas smothering system.
1.13 Are regular emergency and fire drills - Building evacuation drills are regularly
conducted as a means of evaluating conducted and assessed for their effectiveness.
the effectiveness of the prevailing
measures?
1.14 What measures are in place to both - Goods moving in or out of the premises are
prevent and detect the unauthorised inspected for the relevant written authorities.
removal of IT equipment? - All corporate hardware is identified with a non-
removable label.
- Personal Computers are securely fixed to desks
with flexible metal cords.
1.15 How does management ensure that - All Health and Safety requirements are
staff are sufficiently aware of their contained in the relevant procedures manual
responsibilities in respect of fire given to all employees.
prevention and emergency evacuation - Building evacuation drills are regularly
drills? conducted and assessed for their effectiveness.
1.16 How is management assured that - Legal Department undertake an annual review
adequate and appropriate levels of of insurance cover based upon a formal risk
insurance cover are in place for the IT assessment and the events in the past year.
facilities?
Processing Operations (Issues 1.17 to 1.35)
1.17 What general measures ensure that - Only valid, tested and authorised program
processing activity is valid, accurate versions are available in the production
and authorised? environment.
- All runs are authorised prior to operation.
- JCL ensures that correct files, data and
programs are called during processing.
- System access controls prevent unauthorised
access to data and mainframe facilities.
- Data preparation is reconciled to source
Seq. Risk / Control Issues Example Control(s) / Measure(s)
documents.
- Data is validated for errors.
1.18 What specific measures prevent - System access controls prevent unauthorised
unauthorised transactions and/or access to data and mainframe facilities.
system amendments being applied? - Production program files are read only and
cannot be directly amended.
- Production and development program libraries
are separated and subject to strict program
movement authorities and processes.
1.19 How can management be assured that See responses in sections 1.17 and 1.18 above
data is accurate, complete, authorised
and reliable?
1.20 How is commercially sensitive or - System and data "owners" define the access
confidential data protected from rights to their data and these definitions are
unauthorised access or leakage? reflected in the access control system.
- Access controls in place which give each user a
defined range of access to systems and data, and
prevent access to all other systems.
- Especially sensitive data is further protected in
that it is only accessible from a restricted number
of securely located terminals.
- All confidential output is routed to the laser
printer and shrink wrapped.
1.21 What measures ensure that only - Production and development program libraries
authorised and tested versions of are separated and subject to strict program
programs are utilised? movement authorities and processes.
- Following development and comprehensive
testing, development programs are moved to the
production library on the authority of the
operations manger and end-users.
- The production program library only contains
current and approved versions. The contents are
regularly independently checked against an
approved schedule of programs.
- Access to the production library is restricted
and in live use is controlled by the JCL or SCL.
1.22 What specific steps would prevent the - Production and development program libraries
loading and use of either unauthorised are separated and subject to strict program
or untested programs or system movement authorities and processes.
amendments? - Access to the production library is restricted
and in live use is controlled by the JCL or SCL.
- Unauthorised programs located in the
production library would be detected during the
regular verification of the contents.
1.23 Would management be promptly - Job runs are controlled by authorised JCL or
Seq. Risk / Control Issues Example Control(s) / Measure(s)
made aware of any abnormal SCL. The ability to introduce unauthorised JCL
processing activities? is prevented by access control measures.
- All activity is logged and exception reports
highlighting defined categories of activity are
produced and sent to management for review,
investigation and sign-off.
1.24 What steps are in place to prevent - Access to the production facilities is restricted
development staff directly accessing to privilege users only and augmented by
the live production environment? password control.
1.25 How is management assured that the - Existing staff are continuously monitored for
skills of the operating and technical their skills against the requirements for the
support staff are maintained up-to- current and planned environments. Training and
date and relevant? development needs are identified and addressed.
- Each member of staff has a job specification
which incorporates their specific minimum skill
requirements.
1.26 How can management be assured that - Job scheduling is planned in advance for
the mainframe and distributed mainstream production tasks.
systems are operated at optimum - Loading requirements are based on historical
efficiency (and that facility overloads evidence of resource requirements and run times.
are prevented)? - On-line resource usage monitoring is applied
on all key systems and warning signals activated
if defined parameters are exceeded.
- Operations and technical support staff are on
call to affect schedule amendments and activate
reserve capacity if necessary.
- Performance statistics are generated and
reviewed by management.
1.27 What measures prevent unauthorised - Access to mainframe facilities is restricted by
usage of mainframe facilities? user ID and password.
- Runs are controlled by authorised JCL and
generating JCL requires specific skills.
1.45 How is the disposal of outdated or - Usage of media items is controlled by the
unwanted media controlled so that library system
valid items are not destroyed or
overwritten?
1.46 What measures are in place to prevent - All external media is checked for virus infection
and detect virus infection of media? before use.
- PC users are required to run all external media
through virus software located on a free-standing
machine before loading onto their systems.
1.47 How can management be assured that - All external media is checked for virus infection
virus infections would be promptly before use.
detected, contained and effectively - All PC's have virus detection software loaded
dealt with? which runs on boot up. Any virus infections have
to be reported immediately to Technical Support
Dept. for corrective action.
Systems / Operating Software (Issues 1.48 to 1.62)
1.48 What measures ensure that only - Only tested and approved operating software is
recognised, reliable and correctly utilised.
configured operating systems are - Operating software is configured (in
utilised? accordance with the suppliers recommendations)
to ensure maximum efficiency and appropriate
functionality.
1.49 Does management ensure that - Experienced Technical Support staff are
adequate and appropriately skilled employed. Relevant training is provided so that
staff are available to maintain their skills are maintained at the required level.
operating and systems software?
1.50 What measures prevent the - Configuration amendments are only applied by
inappropriate or disruptive the Technical Support staff.
configuration of operating/systems - All amendments are subject to prior
software? management authority.
- All potential amendments are subject to
rigorous prior testing outwith the production
environment.
1.51 What measures prevent unauthorised - Access is restricted via the access control
access to and amendment of operating system which only permits access by authorised
systems? Technical Support staff. Specialist knowledge
requirements also have the effect of reducing the
opportunity for unauthorised access.
1.52 Are all system software upgrades and - All potential amendments are subject to
fixes adequately assessed, tested and rigorous prior testing outwith the production
authorised prior to application to the environment.
live environment? - Test results are reviewed by management prior
to the granting of update authority.
Seq. Risk / Control Issues Example Control(s) / Measure(s)
1.53 Are systems and operating software - The access control system operates in tandem
facilities effectively configured so that with the operating system to ensure that access is
unauthorised access to data and controlled on a "needs" basis.
systems is prevented? - The mainframe system is further protected by
runs being controlled via the JCL or SCL which
defines those systems and files to be accessed
during the job.
1.54 How can management be assured that - Operating software is configured (in
the efficiency and performance of the accordance with the suppliers recommendations)
operating system is optimised? to ensure maximum efficiency and appropriate
functionality.
1.55 How can management be assured that - All the necessary recovery journals are
full recovery from a major systems maintained. Recovery is regularly tested.
failure can be promptly achieved? - Rebuilding of the operating environment is
tested as part of the Disaster Recovery Plan tests.
1.56 Are abnormal or unauthorised events - Attempted access violations are logged and
promptly and independently brought circulated for review.
to the attention of management? - All errors and non-standard runs are reported
to management for review and sign-off.
1.57 Is access to "privilege user" facilities - Access control system permits access to the high
adequately restricted and trailed? level facilities for named users with double
password access control.
- Amendments applied to configuration files are
logged and reported to management.
1.58 Is access to utility and diagnostic - Identical to methods described in 1.57 above
facilities suitably restricted and
trailed?
1.59 Have management established - All standard journals are generated.
adequate and appropriate levels of - In addition, specific journals and logs have
operating system journals in order to been established to highlight the application of
maintain an awareness of system either sensitive or wide-ranging amendments.
usage and operating efficiency? Such reports are circulated to management for
action.
1.60 How does management ensure that all - Operating systems are initially loaded and
personal computers throughout the configured by Technical Support staff in accord
organisation are appropriately and with the suppliers recommendations and
consistently configured? operational requirements of the company.
- Regular checks are conducted by Technical
Support to ensure that the machines retain their
original and authorised configurations.
1.61 What specific measures prevent the - Regular checks are conducted by Technical
use of unauthorised or unreliable PC Support to ensure that only authorised operating
operating systems? systems are present on company PC's.
Seq. Risk / Control Issues Example Control(s) / Measure(s)
1.62 What measures prevent users from - Regular checks are conducted by Technical
applying unauthorised or Support to ensure that the machines retain their
inappropriate amendments to PC original and authorised configurations.
configurations?
System Access Control (Issues 1.63 to 1.71)
1.63 Has management established a policy - All data and systems are allocated to users.
of system and data ownership - Users grant access rights and these are
whereby users take responsibility for reflected in the database administration system.
their systems and data?
1.64 What measures are in place to ensure - Access control system is in place which supports
that data and systems are effectively the access rights granted by the users/owners (as
protected from unauthorised access defined in the DBMS).
and/or amendments? - Access control system operates on a user-id and
password basis. Each user-id has a range of
access permissions defined.
- Access in not permitted to systems or data
where rights have not been granted and set-up on
the system.
1.65 What measures ensure that the access - Managers are periodically provided with
control arrangements are maintained departmental summaries of users and required to
up-to-date and relevant to the confirm that the details are correct.
underlying business needs? - Access usage is monitored and redundant user-
ids highlighted for removal.
- System level access rights are granted on a
"needs" basis in accord with defined standard
patterns of access.
1.66 Who controls the granting of access - The granting of rights is related to the current
rights and how can management be Policy.
assured that this operation is correctly - The data administrator is held responsible for
conducted? maintaining the access control system in accord
with the policy and the wishes of system owners.
- Managers are periodically provided with
departmental summaries of users and required to
confirm that the details are correct.
1.67 Are attempted security breaches or - The system only allows three unsuccessful log-
violations capable of prompt detection on attempts before reporting the events to the
and effective reporting to data administrator for follow-up investigation.
management?
1.68 What additional measures are in place - Use of high level facilities is protected by two
to ensure that high-level or privilege levels of access control and two passwords.
access rights are effectively controlled - All usage of utilities and privilege facilities are
and that relevant actions are trailed? logged and reported to management for sign-off.
1.69 How can management be certain that - The system security and access policy is given
staff are fully aware of their to all employees and is augmented by
Seq. Risk / Control Issues Example Control(s) / Measure(s)
1.93 How does management ensure that - Assessment of current and future LAN
LAN requirements are fully assessed, requirements was undertaken as part of the
justified, and fit in with future strategic planning exercise.
expansion requirements? - Future expansion flexibility taken into account
when designing and installing LANs.
1.94 Are performance and service - Critical performance and response criteria were
availability requirements identified as identified and incorporated into the LAN
the basis for determining the optimum requirements specification.
networking solution? - Various LAN solutions were fully assessed and
costed as the basis for selection.
1.95 What steps prevent unauthorised User-id and password system in place to control
access to the networked facilities and access to systems and data on a "needs" basis.
protect user systems and data from
invalid access?
1.96 How can management be assured of - Only industry standard hardware and network
the integrity of the network system software are utilised.
software and its contribution to - All the appropriate access and facility control
general data and system security? mechanisms are enabled.
1.97 How are file and system servers - File servers, gateway PCs and PCs used for
adequately protected from overnight back-up are located in a separate
unauthorised access? lockable area.
- File server keyboards are disabled by locks.
1.98 How is the usage of Supervisor and - Such facilities only accessible via the file server
high-level facilities protected from keyboard, which is disabled by a lock.
unauthorised usage? - Supervisor facilities are subject to enhanced
access controls using double passwords.
1.99 Have management made adequate - Suitably experienced staff have been engaged.
arrangements to provide suitable skills - Additional training is provided when necessary.
for the maintenance and amendment
of the network facilities?
Database (Issues 1.100 to 1.111)
1.100 How does management ensure that - A data modelling exercise was conducted as
the data needs of the organisation are part of the IT strategic planning review.
accurately identified and reflected in - A corporate data model has been developed and
current systems and databases? accepted by senior management as the basis for
future business requirements.
- All new and amended systems are required to
comply with the agreed data structure.
1.101 How does management ensure that - Selection of DBMS was subject to formal
appropriate, secure, reliable, and software evaluation and selection methodology.
flexible Database Management - Stability and reliability of DBMS supplier fully
Systems are in place and maintained? assessed prior to purchase being approved.
Seq. Risk / Control Issues Example Control(s) / Measure(s)
1.102 How can management be assured that - All systems and associated data are allocated to
appropriate control is exercised over key users as "owners". The owners determine
data ownership and the determination and agree the access rights of all others.
of access rights? - The Database Administrator is responsible for
ensuring that the agreed access rights are
reflected in the database system.
- The access arrangements established to the
database are subject to periodic review and
agreement by "owners".
1.103 How is data protected from - Partly through the application of the access
unauthorised access and amendments, system described in section 1.102 above.
and how is management assured of - Data is subject to various validation and range
the accuracy of corporate data? checks during input. Additionally, data exception
reports are generated by the relevant applications
for management review and action.
1.104 How is management assured of the - All new database systems are subject to a
accuracy and relevance of database planned implementation including the loading of
set-up in support of the business? new or set-up data. Such data is reconciled to
source and tested for integrity prior to live
operation.
1.105 How is the initial and ongoing - See 1.104 above
integrity of the database structure and - DBMS has integral integrity checking facilities,
records assured? i.e. valid pointers, block sums, etc.
1.106 Has management made adequate - The data administrator is responsible for
arrangements for the ongoing ensuring that adequate day-to-day procedures
maintenance and operation of the are in place covering the updating and
database? maintenance of the system.
- Performance is monitored against agreed
service levels and problems are promptly
reported and followed-up.
1.107 Are all subsequent amendments to the - All subsequent database structure amendments
database structure and contents are authorised in writing and only applied and
subject to authorisation, and what thoroughly tested by the data administrator, who
measures prevent unauthorised then provides confirmation that the appropriate
structural amendments? action has been taken.
-High level access control is exercised over
database amendments and all are reported on
activity reports.
1.108 What specific measures ensure that - DBMS incorporates effective tracking of all
the database can be promptly and transactions with before and after images to
accurately rebuilt in the event of enable recovery to a defined point in time.
major failure? - DBMS rebuilds are regularly tested in the
development environment as part of the
contingency plan tests.
Seq. Risk / Control Issues Example Control(s) / Measure(s)
1.109 How are management assured that - DBMS incorporates effective tracking of all
adequate and effective database back- transactions with before and after images to
up precautions are taken? enable recovery to a defined point in time.
- Back-up is daily. Data is retained in secure
back-up store.
1.110 How would management be made - All accesses are logged.
aware of any attempts to violate access - Unsuccessful or invalid log-on attempts are
arrangements or other unusual restricted to three. All attempted violations are
database activities? logged and reported to the data administrator
and access system manager for follow up.
1.111 How can management be sure that - User training has been provided for the DBMS
query languages are efficiently and Query Language.
appropriately used (and that enquiries - Overnight batch processing of extensive query
are neither excessive nor over- language runs to minimise disruption.
demanding on system resources)? - Query Language runs greater than X minutes
are switched into background mode to avoid
degradation of services.
Data Protection Laws (Issues 1.112 to 1.117)
1.112 What steps has management taken to - All new staff receive training in Data
ensure that all affected staff are made Protection.
aware of their responsibilities under - Data Protection principles are incorporated
the prevailing Data Protection into corporate procedures and instructions.
legislation?
1.113 How does management ensure that all - Data Protection principles are incorporated
the Data Protection requirements are into corporate procedures and instructions.
cost effectively complied with? - Data Protection Co-ordinator is responsible for
monitoring compliance and following-up
procedural shortcomings, etc.
1.114 What measures ensure that the - Registration is periodically reviewed in order to
organisation's registration details ensure that it remains up-to-date and accurate.
remain accurate and up-to-date (e.g. - All new activities and systems are reviewed for
for new systems and business potential Data protection implications.
activities)?
1.115 What steps ensure that Data - The system development methodology
Protection implications are considered incorporates a module for assessing the Data
for all systems under development (or Protection implications of new systems.
where significant amendments are - All new activities and systems are reviewed for
being applied)? potential Data protection implications.
1.116 What systems are in place to - Each data subject enquiry is logged by the Data
effectively deal with enquiries from Protection Co-ordinator and referred to the
data subjects? responsible system manager for action.
- Each enquiry is investigated and assessed - a
decision is reached and the enquirer informed of
Seq. Risk / Control Issues Example Control(s) / Measure(s)
1.133 How does management ensure that - The formal evaluation of possible solutions
the optimum software solution is should take in the market leaders. All are subject
selected (and are all possible solutions to full assessment as the basis for an informed
examined)? selection.
1.134 Does management ensure that - The potential for future flexibility and
software products have a expansion is taken into account during the
demonstrable upgrade path and are assessment process. All facilities are reviewed
capable of meeting user requirements? against the requirements specification agreed
with users.
1.135 Does management ensure that - Support services are assessed.
adequate user support facilities - Adequate user and technical documentation has
(including documentation and to be supplied - the quality of this will be
training) are provided in order to reviewed prior to purchase. The supplier will be
maximise the benefits of the system? expected to address any shortcomings.
- Training needs will identified during the
assessment process. Training proposals and
associated costs will, whenever necessary, be
incorporated in the proposed solution.
1.136 What measures ensure that the - All implementation impacts are identified and
implementation of new software is addressed. An implementation plan is produced
planned for and that adequate and resource requirements determined.
resources are made available?
Contingency Planning (Issues 1.137. to 1.139)
1.137 What procedures have management - A full risk assessment was conducted and a
provided to ensure that any documented Contingency and Recovery Plan has
emergency or major failure can be been developed, agreed and introduced.
promptly and effectively rectified? - All possible recovery options were examined
and the optimum solution selected.
1.138 How can management be assured that - All systems and IT facility changes are assessed
the prevailing contingency for their impact on the Contingency and
arrangements remain up-to-date, Recovery Plan, which is accordingly updated.
appropriate and effective?
1.139 How can management be certain that - All possible recovery options were examined
the current contingency arrangements and costed.
are the most appropriate and cost - The arrangements are reviewed every year in
effective in the circumstances? order to ensure that they remain appropriate.
User Support (Issues 1.1.40 to 1.143)
1.140 Has management taken steps to - Help Desk and User Support team established.
ensure that adequate and appropriate Appropriate skills and facilities provided to
user support facilities are provided, as address support needs of users throughout the
a means to ensure the consistent and company.
Seq. Risk / Control Issues Example Control(s) / Measure(s)