Auditing in a CIS Environment Controlling and Auditing the SDLC
Controlling Systems Maintenance
• Four minimum controls: – Formal authorization – Technical specification of the changes – Retesting the system – Updating the documentation Controlling and Auditing the SDLC
Controlling Systems Maintenance
• Source program library controls – To prevent... • Unauthorized program changes – In large computer systems, application program source code is stored on magnetic disks called the source program library (SPL). – SPL is a sensitive area, which, to preserve application integrity, must be properly controlled. – Controlling the SPL may require the implementation of an SPL management system (SPLMS). Controlling and Auditing the SDLC
Controlling Systems Maintenance
• SPLMS Controls – Storing programs on the SPL – Retrieving programs for maintenance purposes – Detecting obsolete programs – Documenting program changes (audit trail of the changes) • The mere presence of an SPLMS does not guarantee program integrity. The succeeding control techniques must be used... Controlling and Auditing the SDLC
Controlled SPL Environment
• Password control – On a specific program • Separate test libraries (for each programmer) – Programs are copied into the programmer's library for maintenance and testing. – Direct access to the production SPL is limited to an authorized librarian who must approve all requests to modify, delete, and copy programs. Controlling and Auditing the SDLC
Controlled SPL Environment
• Audit trail and management reports – Being produced by the SPLMS – Describing program modifications • Program version numbers – The SPLMS assigns a version number automatically to each program stored on the SPL. Starts with version number 0. With each modification, the version number is increased by 1. Controlling and Auditing the SDLC
Controlled SPL Environment
• Controlling access to maintenance [SPL] commands – Commands • Alter or eliminate program passwords • Alter the program version number • Temporarily modify a program without generating a record of the modification. – These commands must be controlled to avoid unauthorized program modifications. – Access to these commands should be password-controlled. Controlling and Auditing the SDLC
Audit Objectives and Procedures
• Audit objectives – Detect any unauthorized program changes – Verify that maintenance procedures protect applications from unauthorized changes – Verify applications are free from material errors – Verify SPL are protected from unauthorized access Controlling and Auditing the SDLC
Audit Objectives and Procedures
• Audit procedures – Identify unauthorized changes • Reconcile program version numbers • Confirm maintenance authorization – Identify application errors • Reconcile source code [after taking a sample] • Review test results (documentation of tests conducted by a client) • Retest the program – Testing access to libraries • Review programmer authority tables (from SPLMS, access to libraries) • Test authority table (simulation, intentionally violate the authorization rules by attempting to access unauthorized libraries)