You are on page 1of 4

Jindal Shadeed Iron and Steel Co LLC

Preliminary list of Requirements


IT Audit 2015
Description

Responsibilit
y

General
1- IT organization chart (with personnel name and designation)
2- IT policies and procedures manual (changes introduced this
year)
3- IT strategic plan and initiatives (Long term and Short Term)
4- List of hardware platforms/operating system/database for the
applications in audit scope. (Please provide the information
in the attached sheet IT Environment Sheet.xlsx)

To be provided
by BASIS team

5- Network diagram
6- Applications interface diagram
Not available

To be provided
by BASIS team

7- Details of the WAN/LAN equipment and servers


8- List of in-house developers application wise
a. DEVJSPL2- Sandeep Chauhan
b. DEVJSPL3- Anidhya Shori

To be provided
by BASIS team

9- IT internal audit report carried out during the year (if any)
10- Penetration test report (if performed)
11- List of all employees currently employed with the entity with
minimum fields like employee code, name, designation,
department, date of joining
12- List of employees joined, resigned and transferred during the
year starting 01 Jan till date. The list should at minimum
provide the following details:
a. Employee full name
b. Employee designation
c. Employee code (HR code)
d. Employee department/section
e. Date of leaving/date of joining/date of transfer
(Note: In case of internal transfers please provide transferred
from and transferred to which department)
Access Management
13- Access Management (including access provisioning and deprovisioning) policies and procedures (please ignore if
included in IT policies and procedures manual requested in
point 2)

To be provided
by BASIS team

14- List of all users including administrators on the applications


in scope. The list of users should provide the following
details:
Has been separate excel sheet

To be provided
by BASIS team

a. User name

Jindal Shadeed Iron and Steel Co LLC


Preliminary list of Requirements
IT Audit 2015
b. User id
c. User access/profile assigned
d. User status (Active/Disabled/Deleted)
e. User creation date
f.

User deletion date

g. Last login date


15- List of all users including administrators on the underlying
database and operating system of applications in scope.
I.
OS level User: IBM
II.
Database User: oraocp & root
III.

To be provided
by BASIS team

16- List of Active Directory users with administrators mentioning


following details:
a. User name
b. User id
c. User Status (Active/Disabled/Deleted)
d. User creation date
e. User deletion date
f.

Last login date

17- Application account password configuration settings (for all


the applications in scope).
Password has been configured as alpha numeric
minimum 8 characters with expiry of 60 days have been
set in SAP.

To be provided
by BASIS team

18- Database (s) (of applications in scope individually) account


password configuration settings:
Database(Oracle) standard password policy is applicable
at database level.

To be provided
by BASIS team

19- Active directory password policy


20- Internet architecture and firewall security policy for review:
Ask to Rajesh Sir for OMAN. We dont have.

To be provided
by BASIS team

21- List of authorized personnel that have access

To be provided
by BASIS team

I.
II.

to the server room (primary data center and DR data


center);
Mr. Virendra Sharma & Mr. Nilesh Chopra for Data
Center via access card system.
Mr. Sanowar Shah has DR data center access.
to developer, test and production area for all the
applications in scope;
to modify backup jobs; and
I.
BASIS Administrator
to approve program changes, move change from
development/test environment to production
environment

Jindal Shadeed Iron and Steel Co LLC


Preliminary list of Requirements
IT Audit 2015
SAP SPOC & SAP head
22- Run the Database and Operating Systems scripts (We will be
sending it separately)
Change Management
23- Change Management policies and procedures (please ignore
if included in IT policies and procedures manual requested in
point 2)
The process is in such a way that there are Change
Request form by which with proper approval the
changes made done in Production server.

To be provided
by BASIS team

24- Software version / configuration / patch management policies


and procedures. (please ignore if included in IT policies and
procedures manual requested in point 2)
There is separate excel sheet has been provided.

To be provided
by BASIS team

25- List of all changes applied to the applications in scope (for


the period of 01 Jan till date) and the description of the
change for the year 2014 The list should contain the change
reference no#, change initiation date, change description,
change approval date, implementation date, initiator,
authorizer, tester and approver details
Separate TR list has been submitted in excel with this
document.

To be provided
by BASIS team

Other IT General Controls (ITGCs)


26- Incident management/helpdesk policy and procedure
document (please ignore if included in IT policies and
procedures manual requested in point 2)
All the production activities is being track through help
desk, for SAP we are using SAP solution manager .There
is tracking and logs for all the production activity. There

To be provided
by BASIS team

27- Please provide us reports such as incident


management/helpdesk logs/ Incident and Problem
Management monitoring reports (for the period of01 Jan till
date).
Sending some formats of incident management.

To be provided
by BASIS team

28- Backup policy and procedure document (please ignore if


included in IT policies and procedures manual requested in
point 2).
Shall be provided by tomorrow.

To be provided
by BASIS team

29- Backup schedule :


There is daily production backup is being schedule on
incremental backup one time & 2 times daily backup of
transactional log(redo log files).

To be provided
by BASIS team

30- Back restoration testing performed during the year


This is being done on quarterly basis 4 times in a year.

To be provided
by BASIS team

31- Evidence of Backup storage (onsite and offsite), Labeling and


movement procedures / registers / forms
Attaching the screen shots for the proof.

To be provided
by BASIS team

Jindal Shadeed Iron and Steel Co LLC


Preliminary list of Requirements
IT Audit 2015
32- Back-up and recovery test schedules (restoration tests) and
results :
Not in practice.

To be provided
by BASIS team

33- Business Continuity Plan/Disaster Recovery plan document


for review:
No documentation available.

To be provided
by BASIS team

34- Business Continuity Plan/Disaster Recovery test schedules


and results:
We have tested the DR server more than one year back.

To be provided
by BASIS team