How Company Manage Its Data

Document Sample
How Company Manage Its Data Powered By Docstoc
					      IT GENERAL CONTROLS
       Company Level


                       Activity Level

                                                                                                                                                                                                                                                                                                                 Type of
                                                                                                                                                                                                                                                                                                               Deficiency
                                                                                                                                                                                                      Controls                       Controls            Describe the basis for                             (Efficiency, Fin.
                                                                                                                                          Does this      Describe specific activities, programs or     properly                      operating         effectiveness conclusion                                Reporting,       Management Action Plan to
 #                                                   COBIT Area                      Points to Consider/ Control Objectives             control exist?   controls in place that satisfy the objective designed?   Test Procedures   effectively?   (including evidence of operation)   Deficiencies Noted     Compliance)         Address Deficiencies
                                                                                          Plan and Organize (IT Environment)
                                                                         Management has prepared strategic plans for IT that
                                                                         align business objectives with IT strategies. The
                                                                         planning approach includes mechanisms to solicit input
                                                                         from relevant internal and external stakeholders affected
  1      X                              Define a Strategic IT Plan       by the IT strategic plans.
                                                                         Management obtains feedback from business process
                                                                         owners and users regarding the quality and usefulness of
                                                                         its IT plans for use in the ongoing risk assessment
  2      X                              Define a Strategic IT Plan       process.
                                                                         Control activities are in place and followed to ensure
                                                                         compliance with external requirements, such as
  3      X                              Define a Strategic IT Plan       regulatory and legal rules.
                                        Define the IT Processes,         Management has an IT organizational chart and updates
  4      X                              Organisation and Relationships   it on a regular basis.
                                                                         An IT planning or steering committee exists to oversee
                                                                         the IT function and its activities. The committee includes
                                        Define the IT Processes,         representatives from senior management, user
  5      X                              Organisation and Relationships   management and the IT function.
                                        Define the IT Processes,         Key systems and data have been inventoried and their
  6      X                              Organisation and Relationships   owners identified.
                                        Define the IT Processes,         Roles and responsibilities of the IT organization are
  7      X                              Organisation and Relationships   defined, documented and understood.
                                        Define the IT Processes,         IT personnel have sufficient authority to exercise the role
  8      X                              Organisation and Relationships   and responsibility assigned to them.
                                                                         Data integrity ownership and responsibilities have been
                                        Define the IT Processes,         communicated to appropriate data/business owners and
  9      X                              Organisation and Relationships   they have accepted these responsibilities.
                                        Define the IT Processes,         The IT organizational structure is sufficient to provide for
 10      X                              Organisation and Relationships   necessary information flow to manage its activities.
                                                                         IT management has implemented a division of roles and
                                                                         responsibilities (segregation of duties) that reasonably
                                        Define the IT Processes,         prevent a single individual from subverting a critical
 11      X                              Organisation and Relationships   process.
                                                                         IT strategies and ongoing operations are formally
                                        Communicate Management Aims      communicated to senior management and the board of
 12      X                              and Direction                    directors.
                                                                         IT management has formulated, developed, and
                                        Communicate Management Aims      documented policies and procedures governing the IT
 13      X                              and Direction                    organization's activities.
                                                                         IT management has communicated policies and
                                        Communicate Management Aims      procedures governing the IT organization's activities to all
 14      X                              and Direction                    relevant parties.
                                                                         IT management has processes in place to investigate
                                        Communicate Management Aims      compliance deviations and take appropriate remedial
 15      X                              and Direction                    action.
                                                                         IT managers have adequate knowledge and experience
 16      X                              Manage IT Human Resources        to fulfill their responsibilities.
                                                                         Controls are in place to support appropriate and timely
                                                                         responses to job changes and job terminations so that
                                                                         internal controls and security are not impaired by such
 17      X                              Manage IT Human Resources        occurrences.
                                                                         The IT organization subscribes to a philosophy of
                                                                         continuous learning, providing necessary training and
 18      X                              Manage IT Human Resources        skill development to its members.
                                                                         The IT organization has adopted the entity's culture of
                                                                         integrity management, including ethics, business
 19      X                              Manage IT Human Resources        practices and human resources evaluations.




Source: www.knowledgeleader.com                                                                                                                                                                                                                                                                                                                             Page 1
      Company Level


                      Activity Level
                                                                                                                                                                                                                                                                                                                   Type of
                                                                                                                                                                                                                                                                                                                 Deficiency
                                                                                                                                                                                                        Controls                       Controls            Describe the basis for                             (Efficiency, Fin.
                                                                                                                                            Does this      Describe specific activities, programs or     properly                      operating         effectiveness conclusion                                Reporting,       Management Action Plan to
 #                                                 COBIT Area                           Points to Consider/ Control Objectives            control exist?   controls in place that satisfy the objective designed?   Test Procedures   effectively?   (including evidence of operation)   Deficiencies Noted     Compliance)         Address Deficiencies
                                                                              IT management has defined information capture,
                                                                              processing, and reporting controls - including
                                                                              completeness, accuracy, validity, and authorization - to
                                                                              support the quality and integrity of information used by
 20     X                              Manage Quality                         business users.
                                                                              Documentation is created and maintained for all
 21     X                              Manage Quality                         significant IT processes, controls and activities.
                                                                              Documentation standards are in place, they have been
                                                                              communicated to all IT staff and they are supported with
 22     X                              Manage Quality                         training.
                                                                              A quality plan exists for significant IT functions (e.g.,
                                                                              system development and deployment) and it provides a
                                                                              consistent approach to address both general and project-
 23     X                              Manage Quality                         specific quality assurance activities.
                                                                              IT management has defined information classification
                                                                              standards in accordance with corporate security and
 24     X                              Assess and Manage IT Risks             privacy policies.
                                                                              IT management has defined, implemented, and
                                                                              maintained security levels for each of the data
 25     X                              Assess and Manage IT Risks             classifications.
                                                                              The IT organization has an entity - and activity-level risk
                                                                              assessment framework that is used periodically to
                                                                              assess information risk to achieving business objectives.
                                                                              The framework considers probability and significance of
 26     X                              Assess and Manage IT Risks             threats.
                                                                              The IT organization's risk assessment framework
                                                                              measures the impact of risks according to qualitative and
 27     X                              Assess and Manage IT Risks             quantitative criteria.
                                                                              A comprehensive security assessment is performed for
 28     X                              Assess and Manage IT Risks             critical systems.
                                                                              Data center facilities are equipped with adequate
                                                                              environmental controls to maintain systems and data,
                                                                              including fire suppression, uninterrupted power service
 29     X                              Assess and Manage IT Risks             (UPS), air conditioning, and elevated floors.
                                                                              The IT organization monitors its progress against the
                                                                              strategic plan and reacts accordingly to meet established
 30     X                              Manage Projects                        objectives.
                                                                          Acquire and Implement (Program Development and Program Change)
                                                                              The organization's system development life cycle (SDLC)
                                       Acquire and Maintain Application       includes security, availability and processing integrity
 31                     X              Software                               requirements of the organization.
                                                                              An adequate SDLC methodology has been established to
                                                                              serve as a basis for controlling development and
                                                                              maintenance activities, and the SDLC methodology is
                                       Acquire and Maintain Application       consistent with business and end-user strategies and
 32                     X              Software                               objectives.
                                                                              The organization's SDLC policies and procedures
                                       Acquire and Maintain Application       consider the development and acquisition of new
 33                     X              Software                               systems and major changes to existing systems.
                                                                              The SDLC methodology ensures that information
                                                                              systems are designed to include application controls that
                                       Acquire and Maintain Application       support complete, accurate, authorized, and valid
 34                     X              Software                               transaction processing.
                                       Acquire and Maintain Application       The organization has an acquisition and planning
 35                     X              Software                               process that aligns with the overall strategic direction.
                                                                              IT management ensures that users are appropriately
                                                                              involved in the design of applications, selection of
                                       Acquire and Maintain Application       packaged software and the testing thereof, to ensure a
 36                     X              Software                               reliable environment.
                                       Acquire and Maintain Application       Post-implementation reviews are performed to verify
 37                     X              Software                               controls are operating effectively.




Source: www.knowledgeleader.com                                                                                                                                                                                                                                                                                                                               Page 2
        Company Level


                        Activity Level
                                                                                                                                                                                                                                                                                                                    Type of
                                                                                                                                                                                                                                                                                                                  Deficiency
                                                                                                                                                                                                         Controls                       Controls            Describe the basis for                             (Efficiency, Fin.
                                                                                                                                             Does this      Describe specific activities, programs or     properly                      operating         effectiveness conclusion                                Reporting,       Management Action Plan to
 #                                                    COBIT Area                      Points to Consider/ Control Objectives               control exist?   controls in place that satisfy the objective designed?   Test Procedures   effectively?   (including evidence of operation)   Deficiencies Noted     Compliance)         Address Deficiencies

                                                                              Documented procedures exist and are followed to ensure
                                                                              that infrastructure systems, including network devices
                                         Acquire and Maintain Technology      and software, are acquired based on the requirements of
 38                       X              Infrastructure                       the applications they are intended to support.
                                                                              The organization's SDLC methodology and associated
                                                                              policies and procedures are regularly reviewed, updated
 39                       X              Enable Operation and Use             and approved by management.
                                                                              The organization ensures that its systems and
                                                                              applications are developed in accordance with its
 40                       X              Enable Operation and Use             supported, documented policies and procedures.
                                                                              Adequate supervisory controls are used to ensure the
                                                                              completeness and accuracy of program documentation,
                                                                              and compliance with established change control
 41                       X              Manage Changes                       standards.
                                                                              The company uses source program management
 42                       X              Manage Changes                       software.
                                                                              Adequate verification steps exist to ensure that changes
                                                                              to programs are not made after user
                                                                              approval/acceptance and prior to programs being moved
 43                       X              Manage Changes                       into production.
                                                                              Adequate controls are in place to ensure that object code
                                                                              modules are not moved directly from the test
 44                       X              Manage Changes                       environment into the production environment.
                                                                              Staging libraries are used to facilitate the movement of
                                                                              source and object modules from the test and production
 45                       X              Manage Changes                       environments.
                                                                              Requests for program changes, system changes, and
                                                                              maintenance (including changes to system software) are
                                                                              standardized, documented, and subject to formal change
 46                       X              Manage Changes                       management procedures.
                                                                              Emergency change requests are documented and
 47                       X              Manage Changes                       subject to formal change management procedures.
                                                                              Controls are in place to restrict migration of programs to
 48                       X              Manage Changes                       production only by authorized individuals.
                                                                              IT management ensures that the setup and
                                                                              implementation of system software does not jeopardize
                                                                              the security of the data and programs being stored in the
 49                       X              Manage Changes                       system.
                                                                              A testing strategy is developed and followed for all
                                                                              significant changes in applications and infrastructure
                                                                              technology, which addresses unit system, integration,
                                         Install and Accredit Solutions and   and user acceptance level testing to help ensure that
 50                       X              Changes                              deployed systems operate as intended.
                                         Install and Accredit Solutions and   Load and stress testing is performed according to a test
 51                       X              Changes                              plan and established testing standards.

                                         Install and Accredit Solutions and      Interfaces with other systems are tested to confirm that
 52                       X              Changes                                 data transmissions are complete, accurate and valid.
                                                                                 The conversion of data is tested between its origin and its
                                         Install and Accredit Solutions and      destination to confirm that it is complete, accurate and
 53                       X              Changes                                 valid.
                                                                        Deliver and Support (Computer Operations and Access to Programs and Data)
                                                                                 Service levels are defined and managed to support
 54                       X              Define and Manage Service Levels        business user system requirements.
                                                                                 MIS personnel are adequately trained to perform job
 55 X                                    Define and Manage Service Levels        duties.
                                                                                 Adequate supervisory controls exist to ensure that
 56 X                                    Define and Manage Service Levels        production jobs are properly scheduled and executed.
                                                                                 A framework is defined to establish key performance
                                                                                 indicators to manage service level agreements, both
 57                       X              Define and Manage Service Levels        internally and externally.
                                                                                 Selection of vendors for outsourced services is
                                                                                 performed in accordance with the organization's vendor
 58                       X              Manage Third-party Services             management policy.




Source: www.knowledgeleader.com                                                                                                                                                                                                                                                                                                                                Page 3
      Company Level


                      Activity Level
                                                                                                                                                                                                                                                                                                                 Type of
                                                                                                                                                                                                                                                                                                               Deficiency
                                                                                                                                                                                                      Controls                       Controls            Describe the basis for                             (Efficiency, Fin.
                                                                                                                                          Does this      Describe specific activities, programs or     properly                      operating         effectiveness conclusion                                Reporting,       Management Action Plan to
 #                                                 COBIT Area                     Points to Consider/ Control Objectives                control exist?   controls in place that satisfy the objective designed?   Test Procedures   effectively?   (including evidence of operation)   Deficiencies Noted     Compliance)         Address Deficiencies
                                                                         IT management determines that before selection,
                                                                         potential third parties are properly qualified through an
                                                                         assessment of their capability to deliver the required
 59                     X              Manage Third-party Services       service and a review of their financial viability.

                                                                         Third-party service contracts address the risks, security
                                                                         controls and procedures for information systems and
 60                     X              Manage Third-party Services       networks in the contract between the parties.

                                                                         Procedures exist and are followed to ensure that a formal
                                                                         contract is defined and agreed for all third-party services
                                                                         before work is initiated, including definition of internal
                                                                         control requirements and acceptance of the
 61                     X              Manage Third-party Services       organization's policies and procedures.

                                                                         A regular review of security, availability and processing
                                                                         integrity is performed for service level agreements and
 62                     X              Manage Third-party Services       related contracts with third-party service providers.
                                                                         IT management monitors the performance and capacity
 63     X                              Manage Performance and Capacity   levels of the systems and network.
                                                                         IT management has a process in place to respond to
                                                                         suboptimal performance and capacity measure in a
 64     X                              Manage Performance and Capacity   timely manner.
                                                                         Performance and capacity planning is included in system
 65     X                              Manage Performance and Capacity   design and implementation activities.
                                                                         An information security policy exists and has been
                                                                         approved by an appropriate level of executive
 66                     X              Ensure Systems Security           management.
                                                                         An IT security plan exists that is aligned with the overall
                                                                         IT strategic plans and kept up-to-date for changes in the
 67                     X              Ensure Systems Security           IT environment.

                                                                         Procedures exist and are followed to authenticate all
 68                     X              Ensure Systems Security           users to the system to support the validity of transactions.
                                                                         Procedures exist and are followed to ensure timely action
                                                                         related to requesting, establishing, issuing, suspending
 69                     X              Ensure Systems Security           and closing user accounts.
                                                                         A control process exists and is followed to periodically
 70                     X              Ensure Systems Security           review and confirm access rights.
                                                                         Where network connectivity is used, appropriate controls,
                                                                         including firewalls, intrusion detection, and vulnerability
                                                                         assessments exist and are used to prevent unauthorized
 71                     X              Ensure Systems Security           access.
                                                                         IT security administration monitors and logs security
                                                                         activity. Identified security violations are reported to
 72                     X              Ensure Systems Security           senior management.
                                                                         Controls relating to appropriate segregation of duties
                                                                         over requesting and granting access to systems and data
 73                     X              Ensure Systems Security           exist and are followed.

                                                                         Access to facilities is restricted to authorized personnel
 74                     X              Ensure Systems Security           and requires appropriate identification and authentication.
                                                                         The entity has established procedures for identifying and
                                                                         documenting the training needs of all personnel using IT
 75     X                              Educate and Train Users           systems.
                                                                         IT management provides education and ongoing training
                                                                         programs that include ethical conduct, system security
                                                                         practices, confidentiality standards, integrity standards,
 76     X                              Educate and Train Users           and security responsibilities of all staff.
                                                                         Only authorized software is permitted for use by
 77                     X              Manage the Configuration          employees using company IT assets.




Source: www.knowledgeleader.com                                                                                                                                                                                                                                                                                                                             Page 4
      Company Level


                      Activity Level
                                                                                                                                                                                                                                                                                                                    Type of
                                                                                                                                                                                                                                                                                                                  Deficiency
                                                                                                                                                                                                         Controls                       Controls            Describe the basis for                             (Efficiency, Fin.
                                                                                                                                             Does this      Describe specific activities, programs or     properly                      operating         effectiveness conclusion                                Reporting,       Management Action Plan to
 #                                                COBIT Area                         Points to Consider/ Control Objectives                control exist?   controls in place that satisfy the objective designed?   Test Procedures   effectively?   (including evidence of operation)   Deficiencies Noted     Compliance)         Address Deficiencies
                                                                           System infrastructure, including firewalls, routers,
                                                                           switches, network operating systems, servers and other
                                                                           related devices is properly configured to prevent
 78                     X              Manage the Configuration            unauthorized access.
                                                                           Application software and data storage systems are
                                                                           properly configured to provision access based on the
                                                                           individual's demonstrated need to view, add, change or
 79                     X              Manage the Configuration            delete data.
                                                                           IT management has established procedures across the
                                                                           organization to protect information systems and
 80                     X              Manage the Configuration            technology from computer viruses.
                                                                           Periodic testing and assessment is performed to confirm
                                                                           that the software and network infrastructure is
 81                     X              Manage the Configuration            appropriately configured.
                                                                           IT management has defined and implemented a problem
                                                                           management system to ensure that operational events
                                                                           that are not part of standard operations (incidents,
                                                                           problems, and errors) are recorded, analyzed, and
 82                     X              Manage Problems                     resolved in a timely manner.
                                                                           The problem management system provides for adequate
                                                                           audit trail facilities, which allow tracing from the incident
 83                     X              Manage Problems                     to the underlying cause.
                                                                           A security incident response process exists to support
                                                                           timely response and investigation of unauthorized
 84                     X              Manage Service Desk and Incidents   activities.
                                                                           Policies and procedures exist for the handling,
 85                     X              Manage Data                         distribution, and retention of data and reporting output.
                                                                           Management protects sensitive information logically and
                                                                           physically, in storage and during transmission against
 86                     X              Manage Data                         unauthorized access or modification.

                                                                           Retention periods and storage terms are defined for
                                                                           documents, data, programs, reports and messages
                                                                           (incoming and outgoing), as well as the data (keys,
 87                     X              Manage Data                         certificates) used for their encryption and authentication.
                                                                           Management has implemented a strategy for cyclical
 88                     X              Manage Data                         backup of data and programs.
                                                                           Procedures exist and are followed to periodically test the
                                                                           effectiveness of the restoration process and the quality of
 89                     X              Manage Data                         backup media.
                                                                           Changes to data structures are authorized, made in
                                                                           accordance with design specifications and implemented
 90                     X              Manage Data                         in a timely manner.
                                                                           Management has established and documented standard
                                                                           procedures for IT operations, including scheduling,
                                                                           managing, monitoring, and responding to security,
 91                     X              Manage Operations                   availability and processing integrity events.
                                                                           System event data are sufficiently retained to provide
                                                                           chronological information and logs to enable the review,
                                                                           examination and reconstruction of system and data
 92                     X              Manage Operations                   processing.
                                                                           System event data are designed to provide reasonable
                                                                           assurance as to the completeness and timeliness of
 93                     X              Manage Operations                   system and data processing.
                                                                           End-user computing policies and procedures concerning
                                                                           security, availability, and processing integrity exist and
 94                     X              Manage Operations                   are followed.
                                                                           End-user computing, including spreadsheets and other
                                                                           user-developed programs, are documented and regularly
                                                                           reviewed for processing integrity, including their ability to
 95                     X              Manage Operations                   sort, summarize, and report accurately.
                                                                           User-developed systems and data are regularly backed
 96                     X              Manage Operations                   up and stored in a secure area.




Source: www.knowledgeleader.com                                                                                                                                                                                                                                                                                                                                Page 5
      Company Level


                      Activity Level
                                                                                                                                                                                                                                                                                                                     Type of
                                                                                                                                                                                                                                                                                                                   Deficiency
                                                                                                                                                                                                          Controls                       Controls            Describe the basis for                             (Efficiency, Fin.
                                                                                                                                              Does this      Describe specific activities, programs or     properly                      operating         effectiveness conclusion                                Reporting,       Management Action Plan to
 #                                                 COBIT Area                         Points to Consider/ Control Objectives                control exist?   controls in place that satisfy the objective designed?   Test Procedures   effectively?   (including evidence of operation)   Deficiencies Noted     Compliance)         Address Deficiencies
                                                                             User-developed systems, such as spreadsheets and
                                                                             other end-user programs, are secured from unauthorized
 97                     X              Manage Operations                     use.
                                                                             Access to user-developed systems is restricted to a
 98                     X              Manage operations                     limited number of users.
                                                                             Inputs, processing and outputs from user-developed
                                                                             systems are independently verified for completeness and
 99                     X              Manage operations                     accuracy.
                                                                                          Monitor and Evaluate (IT Environment)
                                                                             Performance indicators from both internal and external
                                                                             sources have been defined, and data is being collected
                                                                             and reported regarding achievement of these
100     X                              Monitor and Evaluate IT Performance benchmarks.
                                                                             IT management has established appropriate metrics to
                                                                             effectively manage the day-to-day activities of the IT
101     X                              Monitor and Evaluate IT Performance department.
                                                                             IT management monitors the effectiveness of internal
                                                                             controls in the normal course of operations through
                                                                             management and supervisory activities, comparisons
102     X                              Monitor and Evaluate Internal Control and benchmarks.

                                                                               Serious deviations in the operation of internal controls,
                                                                               including major security, availability, and processing
103     X                              Monitor and Evaluate Internal Control   integrity events are reported to senior management.
                                       Ensure Compliance With External         IT management obtains independent reviews prior to
104     X                              Requirements                            implementing significant IT systems.
                                       Ensure Compliance With External         IT management obtains independent internal control
105     X                              Requirements                            reviews of third-party service providers.
                                                                               The organization has an IT internal audit function that is
106     X                              Provide IT Governance                   responsible for reviewing IT activities and controls.
                                                                               The audit plan covers a full range of IT audits (e.g.,
                                                                               general and application controls, systems development
107     X                              Provide IT Governance                   life cycle).
                                                                               Procedures are in place to follow-up on IT control issues
108     X                              Provide IT Governance                   in a timely manner.




Source: www.knowledgeleader.com                                                                                                                                                                                                                                                                                                                                 Page 6

				
DOCUMENT INFO
Description: How Company Manage Its Data document sample