Training Module Templates
Information Systems Control Table
Key Systems Controls Definition Example
General Controls Controls over data center operations, system software A travel system has an application control that
acquisition and maintenance, access security, and requires a manager’s approval prior to completing
application system development. These controls apply the travel request. If the system’s access security
to all systems – mainframe, server, and end-user controls are ineffective, a user may be able to
computing environments and all need to be evaluated. masquerade as their own manager in order to
defraud the organization.
Data Center Operations Includes job set-up and scheduling, operator actions, Complete hardware malfunction results in hard drive
backup and recovery procedures, and contingency or failure and loss. The control would be: Data backup
disaster recovery planning. Data center operations occurs nightly and procedures for temporary transfer
controls may also address capacity planning and of data storage responsibilities to secondary server
resource allocation and use. in place.
System Software Controls System software controls include controls over effective Anti-virus software on employee’s computer might
acquisition, implementation and maintenance of system not contain up-to date virus definition file and allow
software – the operating system, data base malicious code into the network. The control could
management systems, telecommunications software, be: Virus update execution occurs as part of the
security software and utilities – which run the system computer start up script and records latest update in
and allow applications to function. a database, against which weekly reports are run.
Access Security Controls Access security controls are next. Access security A user may masquerade as another user to gain
controls restrict authorized users to only the applications or permissions that would otherwise be
applications or application functions that they need to denied to him or her. The control could be:
do their jobs, supporting an appropriate division of Computer access and applications with client-server
duties. architecture utilize Public Key Infrastructure and thin-
client applications comply with information assurance
access security policies.
Application System Application system development and maintenance An unauthorized change is made to the information
Development and controls include all software development methodology system that adversely affects existing controls. The
Maintenance policies, including change control procedures and control could be: All system changes require
COTS integration. approval from the system program manager and
must have impact analyses completed.
Application Controls Application controls are designed to control application Disbursing system allows disbursement prior to
processing. These are automated transaction or commitment. Control: System requires three way
process controls. match before payment is made.
Training Module: Information Systems Control Table v1.0 1 of 1