Information Technology General Controls Review (ITGC) Audit Program 2012 tneraal Audit Work Plan Project Ovjective: Prepared by Date Prepare Reviewed by! IT General Conols (TGC) addtess the overall operation and activites ofthe IT function and its management and governance. The ITGC audit vill densify and assess general conios thoughout the orgauization’s IT iafresttctwe, The audoy(s) wall aque, observe, and gather evidence to obvain an understanding of the TT contol environment. COBIT provides the general framework forthe assessment and is antented. as necessary with applicable regulation, legislation, standards, policies, agreements, and relate guidance Reference: Section Procedures ‘Workpaper# “Auditor and Comments A_| General ‘AT Review prior assessments, audit report, findings, and recommendations of IT activitis for two yeast includ ‘© Extemal sit reports + Iatemal audi reports Regulatory agcucy rpents © Consuiting reports Assess appropriateness of corrective actions Das taken Docuunett th action taken fr each recommendation nd determine whether aay prior yeu’ comments should be caried forward fo te curren year’s commen Tat he technology pliforns in use aa the applications processed on each platform, Platform Snfrmaton for includes ‘+ Equipment manufseruer and model Quantity Software applications information inlutes: ‘Applicaton vendor and name Version / Release ae Review Board of Diewors and Commies agenda and sites from the past yea for content relevatt to TT Establish and octet follow-up plans as appropriate. Aso avi be MS Word, Conte lsh com Page lof 18 © CHIL Global associatesInformation Technology General Controls Review (ITGC) Audit Program 2012 tneraal Audit Work Plan Project Prepared by Date Prepare Reviewed by! Procedures “Workpaper “Auditor aud Comanents aa Review Busines & IT Suatepic Planing lative Establish and document follow-up plans as appropriate aS Review sats of TT untatives undervay (changes in boasiness operations or IT nfastuctre outsourcing initiatives, web strategies ct.) and note those impacting risks ad conttols, Ae Review the sus ofousouced IT sevice and vepeaive vendr(s) and adjast audit procedures as appropriate to axles issues affected by outsourcing. AF ‘Review the lst of wading partners bases associ ‘with whom the organization shares o exchanges cleatonic information, an asses arrangements for {information security and compliance across organizational boundaries AS ‘Review example business associate contrat / chin oF trust agreements ay “Asses he woes and vlated sks fv Key pesonnel Fespousible forthe exchange of dala /sfomnation extemal entities. [Review the job descipions for IT postions ieloding Secutity and Privacy Officers. Asses their pproptiatenes forthe oles identified, how well they ‘less separation of dies, and other considerations, xa ‘Assess he geneva state of taining provided to TT Sal ‘andthe related polices, procedures, and plas, sce, ‘ad training recoils. (See also Security raining inthe ‘Security and Application Systems Sections Page 2 of 18 © CHIL Global associatesInformation Technology General Controls Review (ITGC) Audit Program Prepared by 2012 ternal Ani Work Plan Date Prepare Project: Reviewed by secon Procedures ‘Workpaper | Date “Auatior and Comments ‘Assess the management saaintenaace, planing, ant ‘appropeiateness of Documented Policies, Procedures, Standards, and Guidelines inching, but not limited te: ‘8 Gansal IT and IS Policies and Procedures , All Secuiy Policies including EIPAA, HITECH, State and oer Secmtity Requirements, et All Paivacy Policies including HIPAA, HITECHL ‘State and edhe Privacy Requzenents, et 44 Policies and Procedures for Release of Information Employee Termination Process Personne Proctces ~e-. clearance policies and procedures background check, et) visitor ani fusntenance personnel conto, disciplinary policies 2 Venuor Policies and Procedures (Change management poliies nd procedures Page 3 of 18 © CHIL Global associatesInformation Technology General Controls Review (ITGC) Audit Program Prepared by 2012 ternal Ani Work Plan Date Prepare Project: Reviewed by! secon Procedures ‘Workpaper | Date “Auatior and Comments B__| [Organization and Operations BA | Obvain the cument IF Organization Chan) and asses seregaton of dies fer key functions (4: system aay development programming. testing. operations, ua.) ‘B2_| Review the crea IT organization charts) and asses segregation of tates for key fection (Le: system anaiyss, development, programming, testing. operations, suai... "BS | Review busines process Hows / Giagams for Telated setiviies and asses TT process controls a identified ‘BA_| Through discussion with IT persomel, evaluate the segzezation of eriel processing fnetons BS] Ensure the 7 fnction a suppor soup within the fgmization au doesnt inate of authoize transctons Wa) Detrnine wheter an FT seeing somniie wan equivalent committe provides effective IT governance within the orgaization. Page 4 of 18 © CHIL Global associatesInformation Technology General Controls Review (ITGC) Audit Program 2012 tneraal Audit Work Plan Project Prepared by Date Prepare Reviewed by! Procedures “Workpaper “Auditor aud Comanents c Data Center (Environment and Physical Access) Note: The pysical environment reviewed wil consider the size and compleity of the organization and its operons. andthe types of teclnology in use or coming {nto se by th organization and its affiliates, partners, and related groups. Consider als the areas where technology {stsed ad whether the locations yreset risks di people and activities ae r natural or manmade threats ci ‘Evaluate the dia cater Tocaion() aad the host ‘buing(). Ensire combustible materials ate not stored ‘on loa above ot below the dara center. f combustible ‘materials age stored above, evaluate the fie suppeesson system sprite system wil result in water damage to floats below. “Tow the daa cenieis), Document the measures ken to contol physical acces to such areas asthe data cet, ‘Compute foom,elecomnunicains, wating closes, network access pois, “Heat all doors into the data center and ensure each adequately resuicts acess. ‘+ Enure all visitors, ineInding vendors, re requited to sign-in upon etry as ecorted a appeopiote td visitor recone ae retained, enti and observe the techniques im place (auvellance cameras, security guar, electonic cardkeys, et.) used to reste data ceuter access, Page $ of 18 © CHIL Global associatesInformation Technology General Controls Review (ITGC) Audit Program Prepared by 2012 ternal Ani Work Plan Date Prepare Project: Reviewed by! secon Procedures ‘Workpaper | Date “Auatior and Comments ‘Ca | Detemnine wineer te following environmental contol ae inplace and operational: a. Fite suppression equipment alo system or ‘ty line water suppression and extinguishes) '. Uniateruptibte power supply (UPS) €. Fmergency Power (eg. generators) 4. Temperature and humity contotiers—inctuding ‘ackup HAY Emergency power ctf switches Smoke and water detectors 2. Finergency lighting TES] Ensure te above ae repay Tse ad maintenance contracts are in fre. ‘E&_| Hentfy the equipment cooling systenv3). Ir water-cooled ‘ness the protection fr leakage and wheter a backup ‘water chiller exists ‘Cr_| Assess the routine maintenance of syste equipment fo susie its performance as expected and o monitor fale cr unsabe systems, ‘ES | Henify ie Vocation’) of constes for system an network operation and maintenance, and assess the use ‘and conto of emote consoles, Page 6 of 18 © CHIL Global associatesInformation Technology General Controls Review (ITGC) Audit Program Prepared by 2012 ternal Ani Work Plan Date Prepare Project: Reviewed by! secon Procedures ‘Workpaper | Date “Auatior and Comments D__| Accessor Security Controls Phisieal Access DI} Ensrepiyscal acces to computer oom) edo peratos anc approprite supervisors, Locked computer lbs that require coded TD cards corkeys for entry . Manual key locks onthe computer Restricted acces to program litrares, and ops of al progsem access ‘DI Assess the completeness and appropriateness of Failiy Security Standards for autheatiaton. personel, acces, te Hleetvonie Acces DS] Asses the data secaiy policies and Wer eaorcemeat fr all incividuals with opportuitis to access data, Assess ‘whether the policies ates data ownership, privacy. access requirements, encryption, media, communications, passwords Page 7 of 18 © CHIL Global associatesInformation Technology General Controls Review (ITGC) Audit Program 2012 tneraal Audit Work Plan Project Prepared by Date Prepare Reviewed by! Procedures “Workpaper “Auditor aud Comanents Da ‘Determine how system resources (Le, bach, on-line uansactions, datasets, and sensitive uilitis) ae protected actos al platforms, media. and transmissions dential applications tha provide their own security ‘mechanisms, Ensure appropiate capabilities are ‘implemented to include: ‘© Unique ser IDs assigned to all users ‘© Unattended devices automatically logged off ater a specified period of inatvity ‘Users are forced to change pesswords within a specified timeframe, ‘© Old passwords cannot be reused, ‘Passwords are properly masked on the system, "Review and asses the description of use authentication smechanisms—secue ID, biomettc, CHAPIPAP. et Tieatify and review the use of atomated athorization ‘an aientication mechanisms, profil templates, etc. ‘Assess the comectiity of remote, dabup, wiles, ‘mobil, and other systems that provide aecessto sensiive date andthe specific sci techniques i place for remote or mobile acess an ser eatcation. De Review the procedures to authorize aad revoke stem aceess. Ensure proper auosization is cbtained prior to stanting user access othe system resourees. Evaluate the rocedires established to remove use IDs an passverds fom the sytem when an employee Teaves an to adjust sccess privileges as sr foes and responsibilities change Page 8 of 18 © CHIL Global associatesInformation Technology General Controls Review (ITGC) Audit Program 2012 tneraal Audit Work Plan Project Prepared by Date Prepare Reviewed by! Procedures Workpaper “Auditor aud Comanents Da ‘Selecta sample of wer in the systems security package ‘and ensue stem acess appropriate a peopely authorize, Selecta supe of sastve data clues and eis appropriate access nanagemeut ‘enti all wers with pvleged acess ahorities and sess the proceites for monitoring all activities of Privileged ses Da ‘Review documentation for niusion protection’ detection ‘aud T ingfastuetare management noriterine systens (Gotemal and extemal network iftatructue) ‘Review descriptions of fogging and auditing systems and assess their appropriateness, “Assess the logving of security related infomation andthe ideaificaton and management of secuity incidents o& violations. Review sample logs and reporting for incident assessment and remediation, ‘Review the doctinentaton forthe liideat Response ‘Team and lncieat Respoase Proces elated protected information los, thet, disclosuze, security breach, notification precedes, et ‘Review the incident response wacking mechanism snd records of security incidents, and esses the timeliness and appropriateness of response, recovery, notification, followup review, cortective proces, et ‘Asses the iafomation security traning provided o TT Sta and the related policies. procedures, and plans, Schedules, and raining records, Page 9 of 18 © CHIL Global associatesInformation Technology General Controls Review (ITGC) Audit Program Prepared by 2012 ternal Ani Work Plan Date Prepare Project: Reviewed by! secon Procedures ‘Workpaper | Date “Auatior and Comments DAS | Assess the information security waning provided to won- TT staff and the related policies, procedies, aad plans, schedules, and taining records D.id_| Assess the resilis ofthe mos rece sary penetaion testing and the methods used Page 10 of 18 © CHIL Global associatesInformation Technology General Controls Review (ITGC) Audit Program 2012 tneraal Audit Work Plan Project Prepared by Date Prepare Reviewed by! Procedures “Workpaper “Auditor aud Comanents E ‘Systems Development and Documentation Controls EI ‘Obtain an understanding of the systems development, maintenance, and change management processes. ED ‘Assess the Witten procedures (inthe overall pocies ad rocedres manual) oulining the steps followed to soli systems, Ese hse psn proper approval te implemeat program changes: appropriate documentation describing the nature tad logic of propose changes proper methodology for testing, debuaeing and approving all change on a test system before implementing the changes in production systems; ad & log s maintained ofall sytem enhancements tad modifications, EF ‘Asses Me Walang for security of online appicaions, de appropriateness for applicable personne, ad the extent to ‘Which it imtegrated wi the building, manteuance ‘esting. plementation, and use oF online systems processing sensitive and protected sommation. Er ‘Asser the methodology for approving mad developing new application systems. Eustie the methodology applies to all ypes of systems. EE “Assess he Sjsems Development Life Cyele ws pastored by prownel Cosies te lowing ‘User participation and sign-off b. Acceptance Testing . Proper review and approval atthe completion of [key stages inthe development process and documentation requirements Page ors © CHIL Global associatesInformation Technology General Controls Review (ITGC) Audit Program 2012 tneraal Audit Work Plan Project Prepared by Date Prepare Reviewed by! Procedures “Workpaper “Auditor aud Comanents EG Selecta saple of systems inthe development lifecycle process and eview the development documentation to assess compliance with the SDL methodology. ‘Review te IT change management proceses and procedutes to cust eitialfusetions ate pevformed 4 All changes to programs. files. and devices ‘equie written aherzaton before they are implemented , All changes go tough a singe contol poi Only specified personnel are aurorized to approve and apply changes, 4. Users accep the change, via sof, prio to implementation of ay change ia peoduction, Documentation of all changes clearly identifies ‘the wail rom inition trongh every step including post change acceptance. Processes are i place to east agreement on privity of change requests 2 Changes are itmplemented into te production csvitontuct by persounel not responsible for ‘making the chaiges (segregation of dtc) 1h Procedures ae in place for emergency changes. Ee Selecta sample of recent proaram changes an review the ‘ange documentation for compliance with application rogram change procedures Ex) “Asser the procedures in place to routinely text for ‘uamithorized or undocumented program changes (eg. by ‘comparison ofthe working program othe approved code Page 12 of 18 © CHIL Global associatesInformation Technology General Controls Review (ITGC) Audit Program Prepared by 2012 ternal Ani Work Plan Date Prepare Project: Reviewed by! oo Procedures ‘Workpaper | Date “Auatior and Comments E-10 | Evaluate the separation ofthe test environment fom production systems and data and ensure changes are ‘horouehly tested and approved prior moving the changed coe into the production envirnent. ET | Review te application progam change Tumover procedures pettommed by the infepenent sroup Fesponsile for inplementing the application changes nro the production environment ETE | Assess the meraency change procedes aad whether emergency changes are migrated throvgh seazepted Tienes to enable management review and approval of te change, EIS | Selecta sample of emergency program changes and asses compliance with established procedares, E14 | Assess the rocedures for making routine ate changes (ez. taates to aplicaton programs o abies ETS_| Assess whether programming standards inctade naning conventions and coding conventions E-16_| Wey he sofware package (Le, CA-Liberian) onthe processing system to provide secuity over production branes for source programs, ICL. a othe ls Page 13 of 18 © CHIL Global associatesInformation Technology General Controls Review (ITGC) Audit Program Prepared by 2012 ternal Ani Work Plan Date Prepare Project: Reviewed by! secon Procedures ‘Workpaper | Date “Auatior and Comments F_| Hardware and System Software Controls FT| tdentify the fmetions india responsibie or hardware and sytem software consol uit into TT sume theatre ih yl Seledingnosis . Regular maintenance ©. Echo check 4. Duplicate process check Parity check FE] Assess the processes to ieniy and alaress ras Oar ‘may oveur ia operating systems and syste son Ware ‘a Logic aces before the operational stage 1b. Coding detected uring the programs testing ‘ebugzig) stage Modification can occur at any time, even while ‘processing, Ifnot handled properly, program ‘modifications can produce unexpected operations and invalid output and data (© Make iuginy of ny sauthorized program tmodifiestions (which isthe most ominous type ofsoftwae ero) Assess completeness of records kept ofall ‘modifications ae record for aay post ‘meaiiction detugsing Page 14 of 8 © CHIL Global associatesInformation Technology General Controls Review (ITGC) Audit Program Prepared by 2012 ternal Ani Work Plan Date Prepare Project: Reviewed by! secon Procedures ‘Workpaper | Date “Auatior and Comments ‘G_| Computer Operations Job Scheduling) GA_| Determine through iniy the process for scheduling production batch processing. Ensure user autorization of all changes othe prodution schedule. Selet a sample of changes and evi them for compliance the Scheduling procedures, G2_| Iran anfomatie sheers wot wed. detente Dow roetion processing s contol ‘G3 | Determine Dow te computer operator ensies production proces properly completes. ‘G_| Tent he varions orp media awe nd wes the processes for dstribation of production processing ouput to users, Ensure sensitive daa is propery contalled Page 15 of 18 © CHIL Global associatesInformation Technology General Controls Review (ITGC) Audit Program 2012 tneraal Audit Work Plan Project Prepared by Date Prepare Reviewed by! Procedures “Workpaper “Auditor aud Comanents H Backup Recovery HI ‘Review the Business Continuity Plan and Dissier Recovery Plan and ensure the systems and communications backup and recovery procedures are appropsately integrated inthe plan, ‘Ensfesjte ad incremental backups ae pefonned on regular bass. Assess he frequency of backups and eterminethrongh inguiry and review of documentation ‘whether ll ls and progsams are backed up propedy. Ensure on-line wanscton journals age backed up 10 provide recovery of transactions tat update the databases, Review the description of backup and achiving em(@) ‘Assess he procedures to ensure Backup copies of stem, programs. and data files ae rotted to a Secure offsite Storage location on a scheuled basis, Assess the rocedres for verifying the mmventoryof the backup dat, HS ‘enify te media ad processes involved in backup mad recovery and assess hi effectiveness. Ifa tape ‘managetent system (TMS) is pat of the processing system aud provides an inventory of tapes by location, observe tha tapes magained off ae propetly ‘Segregated onthe TMS. We Review the resalsof system recovery sting To ensure & suceesfil test was performed and documented within the prior twelve months Page 16 of 18 © CHIL Global associatesInformation Technology General Controls Review (ITGC) Audit Program 2012 tneraal Audit Work Plan Project Prepared by Date Prepare Reviewed by! Procedures “Workpaper “Auditor aud Comanents Business Continuity Planning and Disaster Recovery 1 Review the business coutinity and resamption plans. ‘Through discussions with management and review ofthe business coutinuity and resumption plans, determine ‘whether the plans are curent and include the necessary ey component ‘Review the docuineutation ofthe esl oF he most recent fest of te business resumption plan determine the dates of prior plans. Document the fequency and success ofthe ents, I the pla has not been tested, inguize as 12 the plans for testi, 13 “Aesess TT managements plans for and voles ia arsring ‘nusiness continuity snd the recovery of T resources, Determine if the plan inelodes recovery of IT ata vendor site anal review he service agreement, 1 ‘Evaluate the disaster recovery plan forthe TT division, Ensure application recovery s based on risk (applications stitial tothe organization ae recovered first). 1S ‘Evaluate the resovery service vendor agement) (0 censure they provide fr adequate iaastucure to secover {he organization's IT resources and operations. Ensixe telecomnunications ae includes and covered during testing 16 ‘Review the rails of recovery testing oF TT operations at the vendor sites) Easretesis were successflly completed sad results documented Page 17 of 8 © CHIL Global associatesInformation Technology General Controls Review (ITGC) Audit Program Prepared by 2012 ternal Ani Work Plan Date Prepare Project: Reviewed by! secon Procedures ‘Workpaper | Date “Auatior and Comments J__| Telecommanications TA_| Review technical configurations, charts, sciematcs, network diagrams internal and external network inftastucte), 72] Review docuneaTaton regarding approved vente communication channels, mechanisms, protocols, and standards (1, extranet, VPN, SSH, FTP, Wi-Fi et.) TS _| Review procednres for sting wp, siting. ad manaaing networked work stations ad portable and mobile devices ‘Assess the security of procedirs for monitor. adding Femoving, aad configuring all devices oa the actor. Ta _| Review description of messaging architecture authentication, encryption methods, auditing Tossing Deteraine wher telecommunications provide a reliable and secure enviroment. Consider lad balancing devices, redundant systems, and allerate procedares forthe contiation of telecomumunication operations, 16 | Deternine i EDT (Flectrone Data Iverchange) utilized. Iso, evaluate security and athena of interchange. Also avaible ia MS Word, Cotuctchiblga.comn Page 18 of 18 © CHL Global Associates