Scribd Logo
Upload

Welcome to Scribd!

  • Creditcard Security Apg

    Uploaded by

    TUP BOX
    17 views3 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    DOC, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    17 views3 pages

    Creditcard Security Apg

    Uploaded by

    TUP BOX

    Copyright:

    © All Rights Reserved
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    Internal Audit Services

    Credit Card Security Audit Program


    “PROJECT NAME”

    Background/Purpose
    The purpose of this audit program is to identify specific audit procedures to be performed in
    conjunction with our review of the controls in place to safeguard the confidentiality of customer
    credit card information stored in databases or application software administered by company
    personnel. We will review our findings with the legal department to ascertain our legal risk
    associated with storage of this customer data.

    Wkppr Performed
    Procedures Ref. by

    Planning
    1) Develop an inventory of all operations that accept credit cards
    for payment of receivables.
    2) Develop a questionnaire to use for interviews of IT and operation
    managers for all such businesses. Review questionnaire with legal
    department to ensure all areas of risk are targeted for questions.

    Field Work
    1) Interview Operations Managers regarding different systems
    credit card data is stored on.
    2) Interview IT Managers responsible for safeguarding this
    information regarding controls in place to protect customer credit
    card information in the various locations.
    3) Obtain a list of employees with access to customer credit card
    information on the various systems.
    4) Interview IT Manager responsible for firewall protection to
    understand firewall controls.
    5) Review findings with legal department to assess our legal risk..

    Questionnaire

    Risk from Outside Access -


    Firewall
    1) a) When was the last time an external audit was
    conducted to review the effectiveness of the firewall?
    b) What were the results? c) Implementation status of
    any action items.
    2) Is there a process in place to monitor and follow up on
    security breaches?
    3) Is there any on-going internal or external testing of

    Contributed April 15, 2002 by Tom_Clarke@bose.com


    Internal Audit Services
    Credit Card Security Audit Program
    “PROJECT NAME”
    firewall effectiveness? How often? Who is copied on
    test results?

    Risk from Illegal Internal access / use of information:


    1) Is the need to keep customer credit card information
    secure clearly documented and communicated to
    internal personnel with access to the information? Is
    there a policy stating where the data can be saved and
    how it can be used?
    2) Walk me through all of the systems a customer’s credit
    card information is stored on from the front end system
    that takes the order. Is the data passed on to the data
    warehouse? To Siebel? To other systems other than
    SAP?
    3) Is there a list of who has access to credit card
    information in the various systems? Where in each
    system is the credit card data stored? Does everyone on
    the list need to see the credit card information to
    complete their job assignments?
    4) Is there a process in place to periodically monitor
    access rights for those with access to credit card
    information in the front end and transaction system
    (SAP)?
    5) Is it possible for a user to download credit card
    information from a source system (i.e., SAP, Edge
    etc.) to a PC? Are there any user restrictions in place
    or password permissions to prevent this capability for
    those who do not need it for their jobs?
    6) Through what process is our credit card data
    transmitted to our credit card processor? What steps
    are taken to ensure this transmission is secure?
    7) Does our contract with our processor limit or negate
    our liability should the processor’s database be
    illegally hacked by a 3rd party?
    8) Does our processor send any credit card information
    back to us when we receive cash from them? What
    steps are taken to ensure this data is secure?
    9) Is credit card information stored in a central location in
    any of our systems such that an individual could query
    that location and access numerous customer card #s.
    10) Walk me through the controls in placed in each system
    to prevent unauthorized access to credit card
    information.
    11) Who has access to “back end” data repositories where
    credit card information is stored? Is there a process to
    monitor queries? Is the monitoring process used?

    Contributed April 15, 2002 by Tom_Clarke@bose.com


    Internal Audit Services
    Credit Card Security Audit Program
    “PROJECT NAME”
    12) Is the entire credit card number available in the “back
    end” repositories? Is it necessary to have the entire
    number? What other personal information is stored
    here (i.e., social security #’s, phone #’s etc.).

    Contributed April 15, 2002 by Tom_Clarke@bose.com

    You might also like