ITGC Flashcards
SDLC
Relates to the development and implementation of new systems. It’s the process from initation to retirement phase of systems. Regular change or configuration management controls are tested, especially at the maintenance phase of the system. The authorization to inquire new systems is provided by the IT steering committee to upper level management. Post implementation review done shortly after the implementation of the revised/new system. I test regular change or configuration management controls to ensure they are designed appropriately and operating effectively.
Walkthrough
I will obtain an understanding of the controls being tested from the walkthrough meeting with the IT audit department, observe from the evidence provided, reference the evidence provided and make an opinion whether exception is noted or not. For how to perform detailed testing, I will obtain population, validate the population by observing the pulling of the population, and then select a sample (usually 10%) and requesting the evidence similar to those from walkthrough for each of the sample, and then test the controls/testing attributes with the evidence provided.
Backup and Recovery
- Review company’s backup process
- Back-up period
- Back-up failure (how they follow up/who’s responsible)
- Back-up tape security and if they send tapes offsite to secure location
- Samples of failed backup and how it was fixed
Logical Access Audit
Access control
- Ensure there is written approval before user accounts are created.
- Ensure audit trail/audit log enabled in the system.
- Ensure audit have unique usernames and passwords that are periodically forced to retire.
- Verify user accounts are properly created.
- Access request and approval process (walkthrough)
Physical Access Audit
- Authorized approvers list maintained.
- Ensure Access is granted after proper approval.
- Ensure physical Access to computer equipment and storage media limited to authorized personnel.
- Facility armed/monitored CCTV
IT Operations
- Test back-up recovery
- Test job scheduling (scheduled job and batch job)
Change Management/Change Control
- Firstly, we understand the company’s change methodology.
- I ensure there is a change request and approval process in place by management.
- Ensure there is a separate development, test and production environment.
- I ensure that production changes are developed and implemented after proper approval.
Change Management Control
- Change are authorizes
- Changes are tested
- Changes are approved before migrating over to the production environment.
- SOD
Access Control
- Password settings appropriation
•minimum password length of 8 characters
•idle session timeout
•frequently forced password changes
•ability of users to set their own passwords - Test User Access Authorized and appropriately established
•New users,
•Terminated users
•Transferred users - Physical Access to computer hardware is limited to appropriate individuals
•Obtain a list of employees with access to data center, determine if it is complete and review appropriateness.
•Confirm controls are in place to restrict access to only those individuals.
•Confirm the existence of physical access review - Test that Logical Access is granted
•Review of logs,
•violation attempts reporting
•review access for continued appropriateness - Segregation of incompatible duties
•Denotes that any individual that requests access to be set up is not the same person approving, authorizing, or establishing the same access.
•Performed rights of a “privileged user and monitoring use of a “privileged” user account.
