M4 General Controls

Question 1

What are the sections of general controls?

Answer 1

• control environment, organisational controls and personnel practices
• systems development and programme change controls
• access controls
• continuity of operations controls
• systems software and operating controls
• documentation controls

Word: CSACSD

Question 2

What are the controls groups within the control environment, organisational controls and personnel practices section?

Answer 2

• integrity and ethical values
• committment to competence
• participation by those charged with governance
• management philosophy and operating style
• organisational structure
• human resource policies and procedures

Word: ICPMOH

Question 3

What are the controls in the systems development section?

Answer 3

in-house development steps (WORD: SPPUSTUCTPD)
- standards
- project approval
- project management
- user requirements
- system specs and programming
- testing
- final approval
- conversion
- training
- post implementation review
- documentation

Packaged software A and D’s (Word: QDTOFB)
- Advantages
~ Quicker to start using
~ Demo is normally avaliable
~ techincal support
~ Ongoing updates

Programme change controls (word: RLACMDITUCICB)
- request form and register this form on register
- log this form in the app to let people check status
- approval of changes by 3 levels
- change implemented by actual programmers
- major changes - treated as min-project
- don’t implement changes on the live system
- independent and non-independent people must debug
- tested by users
- users sign after testing that they are happy
- change documentation and document the changes
- independent person must copy it to the live system
- have the changes logged
- back up all your data

Question 4

What are controls and their groups from the access controls section?

Answer 4

security policy (Word: LFDL)
- least privilage access
- fail safe controls to keep items safe
- defence in depth
- logging, so that all activity is logged and reviewed

Physical Access to data centre controls (Word: VNPC)
- visitors
~ appointment with IT
~ cleared to Enter
~ ID tag
~ escorted in and out
- non-IT personnel
~no need for access
- physical entry
~ one access point
~ locked door
~ CCTV
~ security guards
- computer terminals
~ don’t place by windows
~ locked and secure
~ all kept in a room with locked doors

Logical Access controls (Word: IAALAPS)
- Identification (username)
- authentication (password)
- authorisation (management must allow them)
- logging
- access tables
- passwords
- supplementary

Question 5

What are the controls and their groups in the continuity of operations section?

Answer 5

Risk assessment (Word: FPHN)
- Fraud and Theft
- physical Damage
- hacking and Viruses
- NOCLAR

Physical security (word: PFPHP)
- physical location safe?
- fire and flood protection?
- power surge protection?
- heat and humidity protection
- all the physical access controls

disaster recovery (Word: WWATA-ADRFM)
- recovery plan
~ written document
~ widely avaliable
~ addresses priorties
~ tested
~ has a plan for alternate processing
- back up strategies
~ all accounting and operations data
~ Daily, 3 generation back up
~ recent backup stored off site
~ mirror site
- fireproof and waterproof site

General (word: MHFRI)
- maintenance of equipment
- hardware performance test
- firewalls and antivirus
- reliance on key personel
- Insurance

Question 6

what controls are in the systems software and operation controls section?

Answer 6

• analysis of software/hardware

Question 7

What controls are in the documentation section?

Answer 7

• all aspects of computer systems should be documented
• access to documentation to be limited

Question 8

What are the general IT controls?

Answer 8

• segregation of duties: within IT department and organisation as a whole
• deprovisioning and supervision