IT6 Version 4 Final

Document Sample
IT6 Version 4 Final Powered By Docstoc
					IT6 - MANAGE OPERATIONS
Audit Begin Date Not Specified

Text: BU and location Infrastructure responsibilities continue to change as we move towards
Regional Data Center Consolidation with most, but not all, local infrastructure compliance concerns
becoming the responsibility of a Regional Data Center. Locations that have migrated to a Regional
Data Center and no longer have local servers to support, other than a “Centrally-Managed
Infrastructure Server ” (ex. Site Appliance) for file and print services, are no longer accountable for a
number of select objectives / expectations in this ASAT. Please answer the below question regarding
your server hardware, and the ASAT will be adjusted to reflect the appropriate objectives.

Enabling Criteria Name: Servers Located At This Location:

Enabling Criteria Properties:

a) Centrally-Managed Infrastructure Server Only
b) Centrally-Managed Infrastructure Server Only but Hosting Application (s)
c) Centrally-Managed Infrastructure Server Plus Other Server (s)
d) Non-Centrally-Managed Server (s)

Text: Important Guidance for ASAT Testing That Uses Sampling

Text: Many tests in the IT ASAT use sampling. Please refer to guidance using the link below for
important information on how to properly complete these tests. For clarifications regarding sampling
and/or sample size selection, please email the self assessment mailbox (self.assessment@alcoa.com).

Hyperlink Title: IT ASAT 4.0 Sampling Guidance

Hyperlink:
\\noa.alcoa.com\dfs\PGH\InfoShare\Auditglobe\webdocuments\WebPortalDocs\Version 4\IT
Finalized\IT Sampling Guidance\IT ASAT 4.0 Sampling Guidance.doc




1
    IT6 - MANAGE OPERATIONS
                                 IT6 MANAGE OPERATIONS

                         SUMMARY OF OBJECTIVES AND RATINGS

    OBJECTIVE RATING
                                                              (P=Poor, F=Fair, G=Good, E=Excellent,
                                                             NR=Not Reviewed, and NA=Not Applicable)


                                                             P      F      G      E      NR     NA


    Processing Schedules
IT6.1              Make NA if Centrally-Managed
                   Infrastructure Server Criteria Answer
                   = a) Centrally-Managed Infrastructure
                   Server Only Processing schedules are
                   defined, documented, and monitored.
                   (Return to Summary )
    Changes to Process Schedules
IT6.2              Make NA if Centrally-Managed
                   Infrastructure Server Criteria Answer
                   = a) Centrally-Managed Infrastructure
                   Server Only
                   Procedures have been established to
                   control changes to predetermined
                   processing schedules. (Return to
                   Summary )
    IT Customer Support
IT6.3              Reporting and assistance processes have
                   been established to record, track, and
                   resolve, in a timely manner, problems,
                   questions, and support needs of the
                   customer base (Return to Summary )
    Hardware Availability
IT6.4              Make NA if Centrally-Managed
                   Infrastructure Server Criteria Answer
                   = a) Centrally-Managed Infrastructure
                   Server Only or b) Centrally-Managed
                   Infrastructure Server Only but Hosting
                   Application (s)
                   Hardware component availability and
                   related maintenance enables reliable
                   and consistent processing. (Return to
                   Summary )
    Operational Recovery Procedures
IT6.5              Procedures exist to restore systems,
                   applications, and data from operational
                   failures. (Return to Summary )




    2
    IT6 - MANAGE OPERATIONS
    New System and Recovery Installation
IT6.6              Make NA if Centrally-Managed
                   Infrastructure Server Criteria Answer
                   = a) Centrally-Managed Infrastructure
                   Server Only
                   Procedures directing the installation of
                   new system software, or upgrades to
                   existing system software ensure the
                   continued reliability and safety of
                   operational systems (Return to
                   Summary )
    Supplier Software Support
IT6.7              Make NA if Centrally-Managed
                   Infrastructure Server Criteria Answer
                   = a) Centrally-Managed Infrastructure
                   Server Only
                   Installed release levels of software are
                   supported by the supplier. For critical
                   software, support should not be
                   allowed to lapse without documented
                   evidence of a thorough analysis of
                   alternatives, and a plan for continuing
                   operations and support. (Return to
                   Summary )
    System, Program and Data File Backups
IT6.8              System, program and data file back-
                   ups necessary for recovery and
                   retention purposes are made according
                   to pre-defined schedules and securely
                   stored and protected. (Return to
                   Summary )
    Authorized Software Installation
IT6.9              A process ensures that only legally
                   purchased, authorized, business related
                   software is installed. (Return to
                   Summary )




    3
      IT6 - MANAGE OPERATIONS



                                      PROCESSING SCHEDULES

NAME:                                   TITLE:                                   TEST DATE:

                        Rating:      Poor        Fair       Good         Excellent      Not Reviewed    N/A

OBJECTIVE:                IT6.1     Make NA if Centrally-Managed Infrastructure Server Criteria Answer
                                    = a) Centrally-Managed Infrastructure Server Only Processing schedules
                                    are defined, documented, and monitored. (Return to Summary )

Minimum Expectations
Mark Yes if in place today, No, Not Reviewed or Not Applicable

            MINIMUM EXPECTATION 1
             Batch processing schedules are maintained manually or by using automated job scheduling
             software.

             MINIMUM EXPECTATION 2
             All batch processing is monitored to ensure that all critical jobs were completed
             successfully.

            MINIMUM EXPECTATION 3
             Job documentation should be produced for each job which includes information regarding:
             a. job dependencies
             b. run frequency and time of day considerations
             c. rerun and restart procedures

 Exceptional/Best Practices
 An Exceptional/Best Practice must exist to receive an excellent rating. Refer to the Audit Web Page “Best
 Practice Log” to view or propose Practices that qualify as very good or exceptional in nature:
 http://my.alcoa.com/portal/communities/community.asp?UserID=300922&intCommunityIndex=3&intCurr
 entPageIndex=4&intComCurrentFolder=&CommunityID=354&CommPageID=976

 Minimum Expectation Testing Suggestions
 Mark Yes if test performed. If Not Reviewed, Not Applicable, or if performing a different test, then
 explain in gray box.

            TESTING SUGGESTION: Minimum Expectation #1
      Verify the existence of processing schedules for all batch jobs.

             TESTING SUGGESTION: Minimum Expectation #2
      Understand how batch processing is monitored. Monitoring should ensure that:
      a. All jobs run to completion.
      b. All subsequent events/jobs have successfully completed before the next job is
      initiated.
      c. Jobs not completed successfully are restarted or rerun, with key personnel contacted as
      necessary per the restart/rerun instructions.


      4
IT6 - MANAGE OPERATIONS
       TESTING SUGGESTION: Minimum Expectation #3
Select a sample of jobs and ensure that documentation exists including a description of:
a. job dependencies
b. run frequency and time of day considerations
c. restart/rerun procedures
d. key contacts for problem escalation and resolution

          Note: You should consult and utilize the sampling guidance at the top of the ASAT when
          making selecting samples for this test.




5
      IT6 - MANAGE OPERATIONS



                               CHANGES TO PROCESS SCHEDULES

NAME:                                   TITLE:                                  TEST DATE:

                        Rating:      Poor        Fair       Good       Excellent       Not Reviewed         N/A

OBJECTIVE:                IT6.2     Make NA if Centrally-Managed Infrastructure Server Criteria Answer
                                    = a) Centrally-Managed Infrastructure Server Only
                                    Procedures have been established to control changes to predetermined
                                    processing schedules. (Return to Summary )

Minimum Expectations
Mark Yes if in place today, No, Not Reviewed or Not Applicable

               MINIMUM EXPECTATION 1
              Procedures are in place to control requests for changes to the processing schedule. Only
              authorized changes are made. Authorization should come from the process owner or IT
              management/Team Leader.

              MINIMUM EXPECTATION 2
              A list of individuals who may authorize a change or update the processing schedule is
              maintained.

               MINIMUM EXPECTATION 3
              All changes to the normal processing schedule are logged. (Refer also to Testing Suggestion
              of Minimum Expectation 1)

               MINIMUM EXPECTATION 4
              Procedures are in place to ensure schedule changes are communicated and coordinated among
              support organizations and to the users. (Refer also to Testing Suggestion of Minimum
              Expectation 1)

              MINIMUM EXPECTATION 5
              Access controls to production scheduling software support documented procedures.

 Exceptional/Best Practices
 An Exceptional/Best Practice must exist to receive an excellent rating. Refer to the Audit Web Page “Best
 Practice Log” to view or propose Practices that qualify as very good or exceptional in nature:
 http://my.alcoa.com/portal/communities/community.asp?UserID=300922&intCommunityIndex=3&intCurr
 entPageIndex=4&intComCurrentFolder=&CommunityID=354&CommPageID=976

 Minimum Expectation Testing Suggestions
 Mark Yes if test performed. If Not Reviewed, Not Applicable, or if performing a different test, then
 explain in gray box.




      6
IT6 - MANAGE OPERATIONS
     TESTING SUGGESTION: Minimum Expectations #1 and #4
     Review the procedures for authorizing and changing predetermined processing
     schedules.
     a. Verify that process owner or IT Management approval is required.
     b. If alternate procedures are in place to bypass normal controls in emergency situations,
     verify an after the fact review by process owner or IT Management is required.

     TESTING SUGGESTION: Minimum Expectations #1 and #3
     Review the current log of processing changes. Examine a sample of changes and verify that
     the procedure to handle process change requests was followed, and that documentation
     showed:

             a) the reason for the change
             b) the requester of the change
             c) the authorizer of the change.

     Note: You should consult and utilize the sampling guidance at the top of the ASAT when
     making selecting samples for this test.

     TESTING SUGGESTION: Minimum Expectation #2
     Examine the list of individuals who can authorize a change in processing. By understanding
     their roles and positions, verify their areas of accountability correspond with the processing
     change they can authorize.

     TESTING SUGGESTION: Minimum Expectation #5
     Obtain a security listing that identifies who can modify processing schedules. Verify that
     logical access controls support documented procedures.




7
      IT6 - MANAGE OPERATIONS



                                        IT CUSTOMER SUPPORT

NAME:                                    TITLE:                                    TEST DATE:

                        Rating:       Poor        Fair       Good        Excellent        Not Reviewed      N/A

OBJECTIVE:                  IT6.3    Reporting and assistance processes have been established to record,
                                     track, and resolve, in a timely manner, problems, questions, and support
                                     needs of the customer base (Return to Summary )

Minimum Expectations
Mark Yes if in place today, No, Not Reviewed or Not Applicable

            MINIMUM EXPECTATION 1
             Users are provided with a listing of key contacts, or a central contact, to assist them with
             computer related problems, questions and support needs.

            MINIMUM EXPECTATION 2
             Problems are logged and tracked to ensure resolution.

            MINIMUM EXPECTATION 3
             Resolution for each problem is assigned to an individual with previous knowledge in the area
             of the problem.

            MINIMUM EXPECTATION 4
             Affected users are notified of problems.

            MINIMUM EXPECTATION 5
             Responsible individuals are held accountable for the timely resolution of problems. (Refer
             also to Testing Suggestion of Minimum Expectation 3)

            MINIMUM EXPECTATION 6
             Problem resolutions are documented for future reference. (Refer also to Testing Suggestion
             of Minimum Expectation 3)

            MINIMUM EXPECTATION 7
             An escalation process is defined for problems not resolved within pre-determined periods of
             time. (Refer also to Testing Suggestion of Minimum Expectation 3)

             MINIMUM EXPECTATION 8
             Performance measurements for customer problem reporting and support processes are
             monitored to ensure timely response and resolution.




      8
    IT6 - MANAGE OPERATIONS
Exceptional/Best Practices
An Exceptional/Best Practice must exist to receive an excellent rating. Refer to the Audit Web Page “Best
Practice Log” to view or propose Practices that qualify as very good or exceptional in nature:
http://my.alcoa.com/portal/communities/community.asp?UserID=300922&intCommunityIndex=3&intCurr
entPageIndex=4&intComCurrentFolder=&CommunityID=354&CommPageID=976

Minimum Expectation Testing Suggestions
Mark Yes if test performed. If Not Reviewed, Not Applicable, or if performing a different test, then
explain in gray box.


             TESTING SUGGESTION: Minimum Expectation #1
             Examine the listing of key contacts for various problem types. Verify that a contact exists for
             all hardware, application, and operational problems.

             TESTING SUGGESTION: Minimum Expectation #2
             Verify the existence of a problem log. The log should contain, at a minimum:

                     a)   the individual reporting the problem
                     b)   date reported
                     c)   a description of the problem
                     d)   problem priority
                     e)   date corrected
                     f)   corrective action and
                     g)   if appropriate, the person responsible for resolving the problem.

             TESTING SUGGESTION: Minimum Expectations #3, #5, #6, and #7
             Randomly select a sample from the problem log of at least 20 problems covering the period of
             the past three months, including five escalated problems if any exist. Review the complete
             documentation of the problem. Ensure each problem:
             a. Was assigned an accountable individual, or resolved by the person receiving the initial
             request for support.
             b. Had a documented resolution.
             c. For the escalated problems, verify that the escalation process occurred in the timeframe
             required.

             TESTING SUGGESTION: Minimum Expectation #4
             Contact the requester indicated for each of the selected problems, and verify their satisfaction
             with the action and timeliness of the resolution.

             TESTING SUGGESTION: Minimum Expectation #8
             Examine the statistical reports showing that defined performance measurements are being
             tracked and met.
             a. For any measurement that was shown as being missed, understand what actions have been
             taken to improve the service level.




    9
      IT6 - MANAGE OPERATIONS



                                     HARDWARE AVAILABILITY

NAME:                                   TITLE:                                  TEST DATE:

                        Rating:      Poor        Fair       Good        Excellent      Not Reviewed        N/A

OBJECTIVE:                 IT6.4    Make NA if Centrally-Managed Infrastructure Server Criteria Answer
                                    = a) Centrally-Managed Infrastructure Server Only or b) Centrally-
                                    Managed Infrastructure Server Only but Hosting Application (s)
                                    Hardware component availability and related maintenance enables
                                    reliable and consistent processing. (Return to Summary )

Minimum Expectations
Mark Yes if in place today, No, Not Reviewed or Not Applicable


            MINIMUM EXPECTATION 1
             Expectations have been established for the availability of all systems and underlying
             services.

            MINIMUM EXPECTATION 2
             Responsibility for system monitoring and capacity planning is clearly defined and assigned.

            MINIMUM EXPECTATION 3
             Regular maintenance and changes to hardware are conducted during off-peak processing.

            MINIMUM EXPECTATION 4
             All hardware problems are logged and signed-off by IT management/Team Leader when
             resolved.

            MINIMUM EXPECTATION 5
             All processor and network infrastructure components are supported by the vendor. Continued
             use of obsolete equipment requires the documented approval of IT and Process Owner
             management.

            MINIMUM EXPECTATION 6
             Network, processor, and database performance monitoring procedures are established to
             identify capacity and performance trends.

            MINIMUM EXPECTATION 7
             Actual systems availability consistently meets the established expectations.




      10
    IT6 - MANAGE OPERATIONS
Exceptional/Best Practices
An Exceptional/Best Practice must exist to receive an excellent rating. Refer to the Audit Web Page “Best
Practice Log” to view or propose Practices that qualify as very good or exceptional in nature:
http://my.alcoa.com/portal/communities/community.asp?UserID=300922&intCommunityIndex=3&intCurr
entPageIndex=4&intComCurrentFolder=&CommunityID=354&CommPageID=976

Minimum Expectation Testing Suggestions
Mark Yes if test performed. If Not Reviewed, Not Applicable, or if performing a different test, then
explain in gray box.

             TESTING SUGGESTION: Minimum Expectation #1
             Obtain a listing of the system availability expectations for all systems and underlying
             services. Sample at least 25% of the business process owners to make sure they are aware of
             and agree with the availability expectations for their supporting processors and systems.

             TESTING SUGGESTION: Minimum Expectation #2
             Examine documented procedures on performance monitoring and capacity planning, and
             ensure that responsibility has been assigned. Review documentation of the actions of the
             responsible individual(s), and verify that performance, availability, and capacity planning are
             being actively managed.

             TESTING SUGGESTION: Minimum Expectation #3
             Through discussions with IT personnel, identify last planned outage for a hardware upgrade.
             Interview 3 process owners or dependent IT organizations to discuss the impact of the
             upgrade and appropriateness of the timing of the change and notification.

             TESTING SUGGESTION: Minimum Expectation #4
              Review the hardware problem log and ensure that a resolution was documented, and that the
             resolution was a long-term solution rather than a short-term fix. Any short-term fix should
             have an actionable plan to replace with a long-term solution.

             TESTING SUGGESTION: Minimum Expectation #5
             By reviewing current purchase orders and contracts, verify that all operational hardware is
             supported by the vendor. If any are not, ask to see evidence that location management
             approved allowing the component to become unsupported.

             TESTING SUGGESTION: Minimum Expectation #5
             Document the vendor and model numbers of critical hardware components supporting
             business systems, infrastructure and telecommunications. Through discussion with IT
             management, discuss support arrangements. If contracts exists with outside firms verify
             hardware is listed in the agreement. Identify obsolete hardware and assess business case.

             TESTING SUGGESTION: Minimum Expectation #6
             Review network monitoring and capacity performance reports. Discuss with computer
             operations personnel monitoring procedures. If automated monitoring tools are used to notify
             operations, review setup and thresholds set for attributes being monitored.

             TESTING SUGGESTION: Minimum Expectation #7
             Review actual availability data over the past six months and verify that expectations have
             been met.




    11
      IT6 - MANAGE OPERATIONS



                           OPERATIONAL RECOVERY PROCEDURES

NAME:                                   TITLE:                                   TEST DATE:

                        Rating:      Poor        Fair       Good        Excellent       Not Reviewed           N/A

OBJECTIVE:                IT6.5     Procedures exist to restore systems, applications, and data from
                                    operational failures. (Return to Summary )

Minimum Expectations
Mark Yes if in place today, No, Not Reviewed or Not Applicable

            MINIMUM EXPECTATION 1
             Recovery procedures are documented for restoration of hardware, system software,
             application software, and/or data from operational failures.

            MINIMUM EXPECTATION 2 – Make NA if Centrally-Managed Infrastructure Server
             Criteria Answer = a) Centrally-Managed Infrastructure Server Only
             Maintenance agreements with guaranteed response times or spare equipment are maintained
             for critical hardware components.

            MINIMUM EXPECTATION 3 – Make NA if Centrally-Managed Infrastructure Server
             Criteria Answer = a) Centrally-Managed Infrastructure Server Only
             A process has been documented for notifying users of the outage and expected recovery
             time.

 Exceptional/Best Practices
 An Exceptional/Best Practice must exist to receive an excellent rating. Refer to the Audit Web Page “Best
 Practice Log” to view or propose Practices that qualify as very good or exceptional in nature:
 http://my.alcoa.com/portal/communities/community.asp?UserID=300922&intCommunityIndex=3&intCurr
 entPageIndex=4&intComCurrentFolder=&CommunityID=354&CommPageID=976

 Minimum Expectation Testing Suggestions
 Mark Yes if test performed. If Not Reviewed, Not Applicable, or if performing a different test, then
 explain in gray box.

              TESTING SUGGESTION: Minimum Expectation #1
              Review the restore processes. Do they ensure that the operating system and applications can
              be restored to their most recent version?

              TESTING SUGGESTION: Minimum Expectation #1
              Review the recovery procedures. Do they take into consideration the sequencing of the back-
              up tapes to ensure currency of operating system, applications and data?

              TESTING SUGGESTION: Minimum Expectation #2
              Obtain a listing of hardware. Review the list and select 3 critical components, and understand
              how the component will be repaired or replaced. For repairs, understand who will be doing


      12
IT6 - MANAGE OPERATIONS
     the work, and how long the repair is expected to take. If maintenance agreements with
     outside providers exist, verify that response time and hours of coverage meet the business
     requirements. For replacement, understand who will provide the replacement part, and how
     long that is expected to take. Specific answers should be available and documented.

     TESTING SUGGESTION: Minimum Expectation #3
     Review the communication procedure used to notify users of an outage. The communication
     process should correspond with the problem escalation process.




13
      IT6 - MANAGE OPERATIONS



                       NEW SYSTEMS AND SOFTWARE INSTALLATION

NAME:                                   TITLE:                                  TEST DATE:

                        Rating:      Poor        Fair       Good        Excellent      Not Reviewed        N/A

OBJECTIVE:                 IT6.6    Make NA if Centrally-Managed Infrastructure Server Criteria Answer
                                    = a) Centrally-Managed Infrastructure Server Only
                                    Procedures directing the installation of new system software, or
                                    upgrades to existing system software ensure the continued reliability
                                    and safety of operational systems (Return to Summary )

Minimum Expectations
Mark Yes if in place today, No, Not Reviewed or Not Applicable

            MINIMUM EXPECTATION 1
               Change management procedures exist for system software and are followed:
               a. An impact analysis of the upgrade is performed.
               b. The change is appropriately authorized.
               c. Changes are made first in a test environment.
               d. The ability to implement the upgrades/changes in the production environment is limited
               to appropriate IT personal (i.e., systems software support).

            MINIMUM EXPECTATION 2
               Users are notified of the change prior to implementing the change into production. (Refer
               also to Testing Suggestion of Minimum Expectation 1)


            MINIMUM EXPECTATION 3
               Upgrades or new system software are installed during off-peak hours.

            MINIMUM EXPECTATION 4
               A full system back-up is created prior to making any changes in the production
               environment. (Refer also to Testing Suggestion of Minimum Expectation 3)


            MINIMUM EXPECTATION 5
               Release levels of different installed software are compatible. (Refer also to Testing
               Suggestion of Minimum Expectation 3)

            MINIMUM EXPECTATION 6
               Comments are maintained within the software or documented in change management
               process. (Refer also to Testing Suggestion of Minimum Expectation 1)




      14
    IT6 - MANAGE OPERATIONS
Exceptional/Best Practices
An Exceptional/Best Practice must exist to receive an excellent rating. Refer to the Audit Web Page “Best
Practice Log” to view or propose Practices that qualify as very good or exceptional in nature:
http://my.alcoa.com/portal/communities/community.asp?UserID=300922&intCommunityIndex=3&intCurr
entPageIndex=4&intComCurrentFolder=&CommunityID=354&CommPageID=976

Minimum Expectation Testing Suggestions
Mark Yes if test performed. If Not Reviewed, Not Applicable, or if performing a different test, then
explain in gray box.

             TESTING SUGGESTION: Minimum Expectations #1, #2, and #6
             Examine documented procedures for upgrading or making changes to system
             software. Verify that the procedures contain the same controls as defined for handling
             changes to application software.


             TESTING SUGGESTION: Minimum Expectation #2, #3, #4, and #5
             Select a sample of changes to system software that have occurred in the past year.
             a. Note date/time of upgrade to ensure it was conducted during an off-peak time.
             b. Ensure that the change was first made in a test environment
             c. Ensure that testing approach and plans were developed and appear adequate.
             d. Ensure that the upgrade plans included creating a full-system back-up prior
             to implementing changes into production.
             e. Ensure that users were properly notified of the impact on availability

             Note: You should consult and utilize the sampling guidance at the top of the ASAT when
             making selecting samples for this test.




    15
      IT6 - MANAGE OPERATIONS



                                   SUPPLIER SOFTWARE SUPPORT

NAME:                                    TITLE:                                   TEST DATE:

                        Rating:       Poor        Fair       Good        Excellent       Not Reviewed            N/A

OBJECTIVE:                 IT6.7     Make NA if Centrally-Managed Infrastructure Server Criteria Answer
                                     = a) Centrally-Managed Infrastructure Server Only
                                     Installed release levels of software are supported by the supplier. For
                                     critical software, support should not be allowed to lapse without
                                     documented evidence of a thorough analysis of alternatives, and a plan
                                     for continuing operations and support. (Return to Summary )

Minimum Expectations
Mark Yes if in place today, No, Not Reviewed or Not Applicable

            MINIMUM EXPECTATION 1
               Current versions of installed software are supported by the vendor.

            MINIMUM EXPECTATION 2
               Software is registered with the vendor. (Refer also to Testing Suggestion of Minimum
               Expectation 1)

            MINIMUM EXPECTATION 3
               An analysis has been performed on any version of software that is not currently supported
               by the vendor and alternative methods of supporting the software are identified. A
               documented analysis showing a cost/benefit analysis is prepared, and approved by IT and
               business management.


 Exceptional/Best Practices
 An Exceptional/Best Practice must exist to receive an excellent rating. Refer to the Audit Web Page “Best
 Practice Log” to view or propose Practices that qualify as very good or exceptional in nature:
 http://my.alcoa.com/portal/communities/community.asp?UserID=300922&intCommunityIndex=3&intCurr
 entPageIndex=4&intComCurrentFolder=&CommunityID=354&CommPageID=976

 Minimum Expectation Testing Suggestions
 Mark Yes if test performed. If Not Reviewed, Not Applicable, or if performing a different test, then
 explain in gray box.


              TESTING SUGGESTION: Minimum Expectations #1 and #2
              Obtain a list of all installed system software. Select at least 20% of system software products,
              and include the three most critical software components, such as operating systems or data
              base management systems. Obtain the purchase orders, contracts, and maintenance
              agreements for the software selected for testing.
              a. Examine evidence of registration of the software.



      16
IT6 - MANAGE OPERATIONS
     b. Examine the version numbers of the selected software and ensure that the release is
     supported by the vendor. Calls to the vendor may be necessary.


     TESTING SUGGESTION: Minimum Expectation #3
     Obtain a list of any software that is known to be unsupported.
     a. Examine analyses of support alternatives and verify that adequate support is available
     through alternative means.
     b. Review evidence that IT and business management understood and approved the decision
     to allow the software to move to an unsupported service level.




17
      IT6 - MANAGE OPERATIONS



                        SYSTEM, PROGRAM AND DATA FILE BACKUPS

NAME:                                    TITLE:                                   TEST DATE:

                        Rating:       Poor        Fair       Good        Excellent        Not Reviewed          N/A

OBJECTIVE:                 IT6.8     System, program and data file back-ups necessary for recovery and
                                     retention purposes are made according to pre-defined schedules and
                                     securely stored and protected. (Return to Summary )

Minimum Expectations
Mark Yes if in place today, No, Not Reviewed or Not Applicable

            MINIMUM EXPECTATION 1
             A full back-up of all production data is taken daily, or, a full back-up is taken weekly and
             incremental back-ups are taken daily. If an alternate backup approach is taken, a documented
             business case exists that has been approved by the affected business process owners and IT
             management.

            MINIMUM EXPECTATION 2
             Procedures exist to notify process owner and or users when nightly backups do not complete
             successfully.

            MINIMUM EXPECTATION 3
             Application software source code and executables are backed up at least weekly, and
             immediately after every change. If an alternate backup approach is taken, a documented
             business case exists that has been approved by the affected business process owners and IT
             management. (Refer also to Testing Suggestion of Minimum Expectation 1)

            MINIMUM EXPECTATION 4
             System software is backed-up at least weekly, and immediately after every change. If an
             alternate backup approach is taken, a documented business case exists that has been approved
             by IT management. (Refer also to Testing Suggestion of Minimum Expectation 1)

            MINIMUM EXPECTATION 5
             Back-up tapes for operational recovery are stored on-site in a secure, environmentally
             protected area (e.g., computer room).

            MINIMUM EXPECTATION 6
             Back-up tapes for disaster recovery are stored in a secure, environmentally protected area
             until rotated off-site. Rotation should occur on a daily basis. Off-site implies a location in a
             different building a safe distance away from the building housing the computing center, with
             due consideration given to the primary risks in the area (e.g., fire, flood, tornado, explosion,
             chemical spills, etc.). (Refer also to Testing Suggestions of Minimum Expectation 5)

             MINIMUM EXPECTATION 7
              Procedures exist and are followed to perform a random sample of media maintained for



      18
    IT6 - MANAGE OPERATIONS
             disaster recovery and test for readability. This should be performed, at a minimum, on an
             annual basis.

          MINIMUM EXPECTATION 8
           Media used for long term retention of business data and archival purposes are stored in a
           secure, environmentally protected area. The environmental controls in place must ensure the
           long-term readability of the media. (Refer also to Testing Suggestions of Minimum
           Expectation 5)

          MINIMUM EXPECTATION 9
           Documented procedures govern the location and movement of all back-up tapes, and tapes or
           other electronic media used for record retention and data archival purposes. Adequate
           environmental and security precautions are followed. Periodic spot-checks ensure the process
           is consistently followed.

          MINIMUM EXPECTATION 10
           At least once a year, a random sample of the inventory of tapes and other electronic media
           used for operational recovery, disaster recovery and business data retention is
           performed. Results of the last inventory and corrective actions are retained.

          MINIMUM EXPECTATION 11
           Discrepancies disclosed by the inventory are reconciled within ten days.




Exceptional/Best Practices
An Exceptional/Best Practice must exist to receive an excellent rating. Refer to the Audit Web Page “Best
Practice Log” to view or propose Practices that qualify as very good or exceptional in nature:
http://my.alcoa.com/portal/communities/community.asp?UserID=300922&intCommunityIndex=3&intCurr
entPageIndex=4&intComCurrentFolder=&CommunityID=354&CommPageID=976

Minimum Expectation Testing Suggestions
Mark Yes if test performed. If Not Reviewed, Not Applicable, or if performing a different test, then
explain in gray box.


             TESTING SUGGESTION: Minimum Expectations #1, #3, and #4
             Talk to Business Process Owners to understand the business application requirements and
             determine worst-case failure scenarios for operational and disaster recovery. Examine the
             documented procedures and schedules for system, program, and data back-ups and determine
             whether the backup schedules and off-site rotation times are appropriate to meet recovery
             needs for the worst-case failure scenario.
             a. Verify that the back-up procedures and schedules provide for at least weekly back-up of
             application and system software, and daily back-up of production data (or other timing as
             approved by the affected business process owner(s)).
             b. If alternate backup timing is used for production data, verify that the business process
             owner(s) understand and have approved the alternate procedures.
             c. Obtain copies of the system logs of the past week, and verify that the back-up procedures
             for operational, disaster recovery and business data retention back-ups ran according to
             schedule, and ran successfully.




    19
IT6 - MANAGE OPERATIONS
     TESTING SUGGESTION: Minimum Expectation #2
     For any back-up procedure that was observed to not successfully run to completion, verify
     that appropriate rerun procedures were taken, and find the rerun of the job in the system log.

     TESTING SUGGESTION: Minimum Expectations #5, #6, and #7
     Visit the on and off-site storage locations and:
     a. Ensure that the off-site location is in a different building a safe distance away from the
     computer room and considers the local primary threats.
     b. Assess the environmental conditions and security of back-up and long term retention tape
     storage locations. Access should be restricted to only authorized personnel.
     c. Verify that stored tapes and media for backups and long term retention are clearly labeled
     and easily identified.
     d. For disaster recovery tapes, if the disaster were to occur on the day this test is being
     conducted, ask to see which tapes would be necessary to recovery the critical systems.
     e. Visually inspect any electronic media used and stored for record retention and archival
     purposes at the facility . From the locations inventory listing, select 5 tapes, CD ROMs etc.
     from the inventory and ensure they are in the location noted on the inventory.

     TESTING SUGGESTION: Minimum Expectations #5, #6, and #8
     Identify who has access to back-up tapes and verify that it appears reasonable based on their
     job responsibilities. Only computer operations personnel, or individuals directly involved in
     the rotation process, should have access.


     TESTING SUGGESTION: Minimum Expectation #7
     Review documented procedures and verify that a process is in place to take an adequate
     sample of disaster recovery media and test for readability on an annual basis. Review testing
     documentation of the media readability verification.

     TESTING SUGGESTION: Minimum Expectation #9
     From a list of archived media:
     a. Select ten entries from a variety of systems, media and time periods ensuring to include in
     the sample media from the oldest open tax year.
     b. Have operations verify the media can be read.

     TESTING SUGGESTION: Minimum Expectation #98
     Observe the handling procedures for back-up tapes. Verify that they are always stored in a
     physically and environmentally protected manner.

     TESTING SUGGESTION: Minimum Expectation #9
     Review the process for rotating the back-up tapes, and observe that the tapes are moving
     according to the defined process and schedule.

     TESTING SUGGESTION: Minimum Expectation #9
     Obtain a listing of back-up tapes that should be moving for a given day, and observe that
     those tapes, and only those tapes, were moved.

     TESTING SUGGESTION: Minimum Expectation #10
     Obtain evidence that the random sample testing has been conducted on at least an annual
     basis.




20
IT6 - MANAGE OPERATIONS
     TESTING SUGGESTION: Minimum Expectation #11
     Review the results of the last random sample. Verify that all tapes in the sample were found,
     and that any discrepancies were resolved within ten days.




21
      IT6 - MANAGE OPERATIONS



                           AUTHORIZED SOFTWARE INSTALLATION

NAME:                                    TITLE:                                   TEST DATE:

                        Rating:       Poor        Fair       Good        Excellent       Not Reviewed           N/A

OBJECTIVE:                 IT6.9     A process ensures that only legally purchased, authorized, business
                                     related software is installed. (Return to Summary )

Minimum Expectations
Mark Yes if in place today, No, Not Reviewed or Not Applicable

            MINIMUM EXPECTATION 1
             A documented process exists to ensure that only authorized business-oriented software is
             initially installed on personal computers (PCs) and servers.

            MINIMUM EXPECTATION 2
             At least twice a year, a random sampling of installed PCs and servers is conducted to ensure
             that only authorized, business related software is installed.

 Exceptional/Best Practices
 An Exceptional/Best Practice must exist to receive an excellent rating. Refer to the Audit Web Page “Best
 Practice Log” to view or propose Practices that qualify as very good or exceptional in nature:
 http://my.alcoa.com/portal/communities/community.asp?UserID=300922&intCommunityIndex=3&intCurr
 entPageIndex=4&intComCurrentFolder=&CommunityID=354&CommPageID=976

 Minimum Expectation Testing Suggestions
 Mark Yes if test performed. If Not Reviewed, Not Applicable, or if performing a different test, then
 explain in gray box.

              TESTING SUGGESTION: Minimum Expectation #1
              Obtain and review a copy of the documented process for initial software installation. Ensure
              that it contains steps requiring verification of software licenses and business need prior to
              installation.

              TESTING SUGGESTION: Minimum Expectation #2
              Review the periodic sampling that has occurred during the past year.
              a. Understand how the sample sizes and specific PCs and servers were chosen. Ensure that
              the selection process appears random, and that a cross-section of the location is tested during
              each review.
              b. Note any exceptions that were noted, and verify that follow-up actions remedied the
              situation, by either removing the software, or by taking action to obtain a license for the
              software.




      22

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:5
posted:6/5/2011
language:English
pages:22