Frameworks and policies Flashcards
Audit Tools
- ACL for data analysis. Data analysis performed as part of CAAT using IDEA excel to assist in testing controls typically where we test 100% of transactions detect the deviations from business expectations. IDEA removes duplicate, sorting and performing text-to-column functions on data.
- Electronic workpapers for documenting our work (TeamMate or Auto Audit)
- Automated scripts for collecting audit related date: MBSA, TIGER (UNIX)
GDPR
Not a US regulation, but a European one Binds you to cover your European organizations. It’s mandated to protect the information of every European citizen
Gramm-Leach Bliley Act
US Federal law that requires financial institutions to explain how they protect their customers private information.
FFEIC
A cyber security framework that relates to bank regulation - they released CAAT tool (TRACESECURITY, GHP)
Committee of Supporting Organizations (COSO)
Based framework, can stand on its own. I use it if the scope of audit is based on Access controls or system of records. It is used for design, implementation, assessment of our company’s internal controls. Controls are needed to mitigate risk that of technology operating effectively to support company objectives.
Control Objective of Information and Related Technology
- Can’t stand alone; needs COSO
PCI DSS audit
Since my organization is a financial institution that processes and stores CC, we conduct PCI, which is a set of standards for the protection of payment card information applicable to all organizations that stores, process, or transmits CC data. I was assigned testing controls surrounding access controls. The controls I test include each person with computer access to have a unique user ID, protect stored cardholder data, ensure restricted access to cardholder data, and verified that they tracked and monitored all access to network resources and cardholder data.
