IT Audit New Methodology For PPE 03

System & IT Audit
Agenda
 Coverage System & IT Audit
 Information Criteria
 The Map
 Offsite Monitoring
 On site Inspection
Coverage Audit
 By Processes:
 IT Planning & Organization
 Data Center Management
 Acquisition & Implementation
 Manage Infrastructure
 Project Management
 IT Resources
 Hardware & Operating System
 Software
 Network Communication
 People
 Data
Information Criteria
To Judge IT Performance:
 Confidentiality / Security
 Integrity
 Availability & Reliability
 Effectiveness & Efficiency
 Compliance
Information Criteria
 Confidentiality / Security
concerns the protection of sensitive information from unauthorized disclosure.
 Integrity
relates to the accuracy and completeness of information as well as to its validity
in accordance with business values and expectations.
 Availability & Reliability
relates to information being available when required by the business process
now and in the future. It also concerns the safeguarding of necessary resources
and associated capabilities.
 Effectiveness & Efficiency
deals with information being relevant and pertinent to the business process as
well as being delivered in a timely, correct, consistent and usable manner. It also
concerns the provision of information through the optimal (most productive and
economical) use of IT resources.
 Compliance
deals with complying with those laws, regulations and contractual arrangements
to which the business process is subject
IT Resources
1. DATA 4. Aplication 5. Technology
1.1. Current Account 4.1. SIBS 5.1. AS/400
1.2. Saving 4.2. Middleware 5.2. PC Server (Data Center)
1.3. Time De posit & CoD 4.3. Mosaic 5.3. Network Device
1.4. Loan 4.4. ATM 5.4. Internal Network Connection
1.5. Credit Card 4.5. NPA
5.5. Eksternal Network Connection
1.6. CIF 4.6. NA
5.6. Security Device
2. People 4.7. NG@
5.7. Branch Server
2.1. Progame r 4.8. Equation
5.8. ATM
2.2. Project Manage r 4.9. Eximbills
5.9. Printer
2.3. Ope ration Manager 4.10. Efficient
2.4. Ope ration Do-er 4.11. RTGS
3. Facilities 4.12. SWIFT
3.1. Gedung 4.13. SAP
3.2. UPS 4.14. SQL Database
3.3. Gene rator
3.4. AC
3.5. Estenguiser
Criteria
ity y
ntial b ility i enc e
e ty l ia i c nc
onfid egri & Re & Eff p lia
/C Int ty s m
urity i labili n es Co
c a e
Se Av tiv
ffec
E
Processes
Data
Technology
Facilities
Application System
Sub Processes
People
IT Processes
Activities
s
u rce
o
R es
IT
Auditable Unit/ Object
 ITOG
 ISDG
 EDG
 OPRG
 CSM
 Pacomnet
 Infomedia Nusantara
 Data Integrity
Process ITOG ISDG CSM EDSG OPRG IN Pacomnet Data Integrity
1. IT PLANNING & ORGANIZING
1.1. Determine IT Strategic Plan
1.2. Determine IT Architecture
1.3. Manage Human Resources
1.4. Assess Risk
1.5. Determine IT Policy & Procedures
1.6. Manage IT Investment
1.7. Manage IT Quality
2. DATA CENTER M ANAGEM ENT
2.1. Console Operation
2.2. Backup Activity
2.3. Physical Security
2.4. Problem Handling
2.5. Manage Data
2.6. Housekeeping/Purging
3. M ANAGE INFRASTRUCTURE
3.1. Manage Hardware
3.2. Manage Network & Communication
3.3. Manage PC & End Use r Computing
3.4. Contingency Planning
3.5. Manage IT Environment
3.6. Manage Internet & Intranet Facilities
4. ACQUISITION & IM PLEM ENTATION
4.1. Hardware Acquisition
4.2. Software Acquisition
4.3. Manage Outsource Solution
5. DATA INTEGRITY
5.1. Current Account
5.2. Saving
5.3. Time Deposit & CoD
5.4. Loan
5.5. Credit Card
5.6. CIF
Judging Methods:
 On Site Inspection
 Risk Assessment
 SAQ
 Audit Program
 Fieldwork
 Report
 Off Site Monitoring (monthly)
 SLA Report Executive Sumaary
 Help Desk Report Significant Issue
Significant Finding
 RQM Report
• Data Center Management
 Program Instalation Report • Manage Infrastructure
 Operating Plan Report • System Development
 Project Report • Etc
 Internal Memo
 Notulen Meeting
 Etc
Residual Risk of IT
Key Performance Indicator Off Site
On Site
Processes Confidentiality Integrity Availability Effectiveness Compliance Monitoring
Inspection
& Security & Reliability & Efficiency
IT Planning &
Organizing
Computer
Operation
System
Development
Manage
Infrastructure
Project
Management
Technology
Aplication
People
OVERALL
The End Note: Offsite monitoring

IT Planning &
Security
Confidentiality &
Integrity
Availability & Reliability
Efficiency
Effectiveness &
Compliance
Organizing
 Determine IT Strategic Plan

 Determine IT Architecture
 Communicate management aims & directions
 Manage human resource

 Ensure compliance with external requirement
 Assess risk
 Determine IT Security Policy
 Determine Outsourcing Strategic
OVERALL
Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
Computer Operation
 Console Operation
 Back up Activity
 Physical Security
 Logical Security
 Problem Handling
 Manage performance & Capacity
 Program Installation
 Manage service availability
 Manage Supporting peripherals
OVERALL
Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
System Development
 Define SOR
 Feasibility studies
 System analysis & design
 Internal program development
 Manage Third Party Program Development
 System integration test
 Manual development (UIM)
 Training
 UAT
 Conversion
 System implementation / Change Management
 Procurement & acquisition
 Technical documentation
OVERALL
Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
Manage Infrastructure
 Manage 3rd Party Service (Network Service Provider & Hardware Vendors)
 Capacity Analysis
 Manage Intranet Facilities
 Procurement & Acquisition
 Contingency Plan
 Installation Management
 Manage user-id & ip address
 Manage network security
OVERALL
Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
Project Management
 Project Initiation
 Time Management
 Resources Management
 Controlling & Reporting
OVERALL
Compliance
Effectiveness &
Efficiency
Integrity
Confidentiality &
Security
Hardware & Operating System
Resources
Software
Network


Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
Determine IT Strategic Plan
 Terdapat IT Strategic Plan yang mampu

mendudung Business Strategic Plan
yang menyeluruh
 IT Planning align dengan IT Strategic
Plan
 Investment yang dilakukan telah
dipertimbangkan cost & benefit-nya.
 IT Project selaras dengan IT Strategic
Plan
 Pengelolaan Pencapaian Operating
Plan
OVERALL
Note : Excellent Good Fair Poor Very Poor Not Applicable

Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
Determine IT Architecture
 Terdapat arahan IT Architecture yang mampu

mendukung semua business needs.
OVERALL

Communicate management
Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
aims & directions
 Adanya pengkomunikasian IT strategic plan, IT

Security Policy, dan IT Security Awareness
secara terus menerus.
OVERALL

Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
Manage human resource
 Ketersediaan human resources yang competent.

 Ketersediaan alternate & knowledge yang
merata.
 Jumlah personnel sesuai kebutuhan organisasi
OVERALL

Ensure compliance with
Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
external requirement
 Management selalu patuh dan memiliki

pemahaman menyeluruh dan senantiasa update
dengan external regulation / external requirment
secara konsisten.
OVERALL

Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
Assess risk
 Dilakukannya IT risk assessment yang meliputi:

 Risk Identification.
 Risk Measurement.
 Risk Cover Action Plan.
 Risk Cover Comitment.
 Risk Cover Evaluating.
OVERALL

Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
Determine IT Security Policy
 Ketersediaan IT Security yang update dan

lengkap.
OVERALL

Determine Outsourcing
Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
Strategy
 Penanganan 3rd party service disesuaikan

dengan kebutuhan bisnis.
OVERALL

Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
Console Operation
 Authority being granted to console operator are

inline with his job description.
 Adanya proses dual control pembuatan User ID
baru.
 Checklist for console operator are available,
adequate, and continuously reviewed.
 Training are given to console operators should a
change being made onto the system and
process.
 Use menu driven function and job scheduler.
 Shifting mechanism terhadap jadwal kerja
petugas console.
OVERALL

Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
Back up Activity
 Back up media are stored on a locked secure

cabinet.
 Back up media are placed on a secure box
during delivery and dual control mechanism are
applied on opening the box.
 Indicator that inform the completeness of back
up media are available.
 Adanya aktivitas readable test yang rutin.
 Procedure and guidelines in terms of backup
activity are available and adequate.
 Adanya tempat penyimpanan yang teratur, rapi,
dan adanya labeling terhadap media back up.
 Utilize online mirroring process.
 Re-used of back up cartridge.
 Risk assessment process to determine object
that need to back up.
OVERALL
Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
Physical Security
 Access to computer room are restricted, only

those are authorized have the access.
 Implementation of physical security media (finger
scan access, proximity card, etc).
 Unauthorized personnel / visitor who wish to
enter computer rooms are being monitored and
must fill the log book.
 Environmental hazard protection equipment are
in place (i.e: Fire Alarm, Automatic Fire
Extinguisher, UPS, Gen set).
OVERALL

Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
Logical Security
 Access to computer room are restricted, only

those are authorized have the access.
 Implementation of physical security media (finger
scan access, proximity card, etc).
 Unauthorized personnel / visitor who wish to
enter computer rooms are being monitored and
must fill the log book.
 Environmental hazard protection equipment are
in place (i.e: Fire Alarm, Automatic Fire
Extinguisher, UPS, Gen set).
OVERALL

Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
Problem Handling
 Adequate control on using powerful function and

utilities (i.e: UPDDTA, QSECOFR).
 Patching program are tested and reviewed
consistently.
 Problem escalation mechanisms are in place and
the responsible unit to whom the problems
should be escalated are clearly stated.
 Standard and procedure in term of problem
handling are available and up to date.
 A unit have been assign to handle problem
management and is known by the end user as
single point of contact.
 There are logging activities for problem being
reported by end users and other source.
OVERALL
Manage performance &
Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
Capacity
 Procedure and guidelines for maintenance are

available.
 Dilakukan aktifitas maintenance (housekeeping,
purging,etc) secara konsisten.
 Capacity planning for Network, Hardware,
Software periodically.
OVERALL

Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
Program Installation
 Dual Control in program promotion/installation

process.
 Segregate production and development
environment.
 Dual Control mechanism applied to promotion
process of new software/application.
 Implementation of Change Management Tools.
 Standard and procedure that regulate change
management process must be available, i. e. :
contingency plan, fall back procedure, piloting, or
parallel run.
 Program being fixed or patching program are
adequately tested prior to promotion to
production environment.
OVERALL

Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
Manage service availability
 Adanya Service Level Agreement antara

business unit dengan IT sebagai pihak support
pelayanan.
 Adanya pemberian skema pinalty, bila tingkat
pelayanan tidak sesuai dengan agreement.
 Adanya system monitoring yang akurat
(automated) dan laporan secara periodik
terhadap tingkat pelayanan system.
 Contingency Planning procedure are available.
OVERALL

Manage Supporting
Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
peripherals
 Adanya suporting periperal yang lengkap dan

dalam kondisi siap pakai.
 Kapasitas supporting periperal sesuai dengan
sesuai kebutuhan peralatan yang ada
(proporsional).
OVERALL

Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
Define SOR
 Terdapat policy dan prosedure yang jelas mencakup

alur proses pembuatan, penanggung jawab, dan
deliverables dari tahapan pembuatan SOR.
 Adanya formal request atas perubahan / perbaikan /
pengembangan yang akan dilakukan.
 Adanya indentifikasi atas perubahan, pengembangan
atau perbaikan yang akan dilakukan, termasuk dengan
penetapan kategori, prioritas dan emergency dari
perubahan/ pengembangan dimaksud.
 Proses pembuatan SOR dilakukan sesuai dengan
semua kebutuhan user dengan melibatkan semua unit
terkait yang memiliki kompetensi yang memadai dalam
tenggang waktu yang sesuai.
 Adanya mekanisme approval terhadap adanya
perubahan SOR.
OVERALL
Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
Feasibility studies
 Adanya proses technical review yang mencakup

security aplikasi, maupun kompatibilitas solusi yang
dipilih dengan existing aplikasi maupun existing
hardware secara menyeluruh dan berkualitas.
 Pengembangan / perubahan proyek harus inline
dengan IT Operating Plan / Business Operating Plan.
 Proses feasibility studi / technical review dilakukan
dengan memperhatikan / mempertimbangkan
pengelolaan konfigurasi, kapasitas, performance
ataupun aspek lainnya yang terkait dan dituangkan
dalam suatu dokumen yang resmi.
 Adanya informasi yang tertuang dalam bentuk formal
mengenai kebutuhan perangkat serta alasan
pembelian, sewa, tukar tambah atau upgrade perangkat
maupun penggunaan jasa pihak ke 3.
 Dilakukannya proses cost benefit analysis, break even
point, target market, dll dimana hasilnya harus
mendapat persetujuan dari management terkait.
OVERALL
Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
System analysis & design
 Adanya dokumen hasil analysis & design FSD

(Functional Specific Design).
 Proses analysis & design terhadap kebutuhan
SOR dan dilakukan dengan mempertimbangkan
semua existing aplikasi terkait dan dituangkan
dalam dokumen tertulis, dimana proses ini
dilakukan dalam jangka waktu yang memadai.
OVERALL

Internal program
Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
development
 Proses program development dilakukan

berdasarkan hasil analisa & desain.
 Program development dilakukan berdasarkan
hasil analisa & desain program dan dilakukan
dalam tenggang waktu yang sesuai.
 Programer memiliki kemampuan / pengetahuan
mengenai aplikasi yang akan dikembangkan
secara memadai.
OVERALL

Manage Third Party
Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
Program Development
 Terdapat PKS yang telah disetujui kedua belah

pihak dan telah mendapat legal opinion.
 Adanya SLA yang lengkap dan adanya pinalty
dengan kriteria yang jelas dan mudah diukur.
 Pembatasan object authority untuk vendor-
vendor yang mengakses system khususnya
pengembang aplikasi.
OVERALL

Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
System integration test
 SIT telah dilakukan secara menyeluruh terhadap

program yang dikembangkan dan keterkaitannya
dengan aplikasi lain.
 Adanya test scenario dan expecting result test
yang lengkap dan berkualitas.
 Fungsi / peranan Quality Assurance / Quality
Control berjalan dengan baik selama proses SIT.
OVERALL

Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
Manual development (UIM)
 UIM dibuat dengan cara penyajian yang

memadai dan mudah dimengerti.
OVERALL

Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
Training
 Adanya training atas pengembangan/perubahan

dari pihak vendor ke IT maupun dari IT ke user.
 Proses training dilakukan dengan strategi dan
cara penyampaian yang mudah dipahami user,
antara lain: sesi kelas, hands on, evaluasi/ test
pemahaman, dll.
 Dilakukannya feed back terhadap pemahaman
dari peserta training.
OVERALL

Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
UAT
 Proses UAT benar-benar dilakukan secara

menyeluruh sesuai SOR oleh user yang
berkompeten di dalam lingkungan yang
mencerminkan lingkungan produksi.
 Adanya test scenario dan expecting result test
yang lengkap dan berkualitas.
 Testing terhadap semua permintaan user telah
dilakukan dan berhasil dengan baik sehingga
setiap kesalahan program selalu dapat dideteksi.
 Ketersediaan library UAT yang up to date.
 Fungsi/peranan QA berjalan dengan baik dalam
proses UAT.
OVERALL

Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
Conversion
 Keberadaan unit yang bertanggung jawab terhadap

penyimpanan data baik pada saat conversion testing
ataupun pada saat konversi yang sesungguhnya.
 Keberadaan dokumentasi strategi konversi yang
mencakup sumua item yang harus dikonversi.
 Strategi proses conversi disusun dimana didalamnya
termasuk proofing, data, proffing expected result,
kriteria go no go, dan fall back plan.
 Pemahaman semua pihak terkait terhadap strategi
konversi, strategi proffing data, proffing expected result,
kriteria go no go, dan fall back plan.
 Proses conversi benar-benar dilakukan secara
menyeluruh dan benar dengan menggunakan bantuan
program yang telah teruji.
OVERALL

System implementation /
Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
Change Management
 Keberadaan tools untuk melakukan change management.
 Standar security set up terhadap change management
tools terutama mengenai kewengan user.
 Dilakukan pemisahan akses antara petugas development,
UAT dan production.
 Adanya mekanisme persetujuan atas install
program/object file, mulai dari tahapan pengembangan,
perubahan system / program sampai ke production.
 Adanya detail penanganan yang harus diambil bila
implementasi gagal / fall back procedure / contingency
plan dan adanya stategi implementasi misalnya pilotting
atau parallel run
 Adanya internal control untuk memastikan
perubahan/pengembangan yang dilakukan adalah benar,
pendistribusian dilakukan secara benar, terintegrasi dan
pada saat yang tepat, termasuk dengan adanya log
perubahan sebagai media audit trail dalam melakukan
tracing back.
OVERALL
Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
Procurement & acquisition
 Pembelian produk / aplikasi benar-benar sesuai dengan

tujuannya dengan cost yang optimal / fair dan dapat
digunakan secara berkelanjutan dengan dilakukan /
mendapat concern dari pihak-pihak lain terkait yang
memiliki kompetensi memadai.
 Adanya hasil evaluasi atas vendor yang dipilih dan
referensi mengenai vendor / pihak ke 3.
 Adanya evaluasi / test / pengujian aplikasi ataupun
perangkat yang akan dibeli dan dilakukan benchmarking
dengan pihak lain.
 Adanya spesifikasi order dan time delivery yang jelas,
jadwal waktu pembayaran, task dari kedua belah pihak.
 Adanya / pengujian atas perangkat yang akan digunakan.
 Adanya mekanisme yang jelas atas pengajuan
pengadaan barang maupun jasa, sampai dengan
pembayaran, antara lain meliputi pengajuan pengeluaran
anggaran, persetujuan pengeluaran anggaran, invoice /
tagihan pembayaran.
OVERALL
Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
Technical documentation
 Terdapat Technical Specification Design (TSD)

yang lengkap dan selalu dalam kondisi update
dengan cara penyajian yang memadai dan
mudah dimengerti.
OVERALL

Manage 3rd Party Service
Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
(Network Service Provider &
Hardware Vendors)
 Pencantuman klausula non disclosure
agreement pada perjanjian kerjasama.
 Penerapan SLA terhadap pihak ketiga dan selalu
dimonitor pencapaiannya secara periodic dimana
didalamnya termuat ketentuan pinalty yang jelas
dan mudah diukur.
 Terdapat mekanisme problem handling yang
memadai.
 Terdapat contingency procedure / back up.
 Terdapat PKS yang telah disetujui kedua belah
pihak dan telah mendapat legal opinion.
 Dilakukan tendering secara konsisten setiap kali
akan memakai jasa pihak ketiga.
 Adanya Maintenance Agreement terhadap
peralatan yang dibeli.
OVERALL
Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
Capacity Analysis
 Dilakukan capacity planning yang disesuaikan

dengan bisnis requirement.
 Dilakukan monitoring secara konsisten terhadap
penggunaan / utilisasi kapasitas yang ada
(bandwidth network, storage, etc).
 Secara periodic dilakukan evaluasi terhadap
hasil monitoring yang telah dilakukan.
OVERALL

Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
Manage Intranet Facilities
 Terdapat standard dan security policy &

prosedur yang mengatur pemakaian fasilitas
intranet.
 Terdapat fungsi system administrator yang
memonitor pemakaian intranet.
 Adanya himbauan untuk peningkatan security
awareness dikalangan pemakaian intranet.
 Adanya media tracking / audit trail untuk
pemakaian fasilitas intranet.
 Update antivirus dilakukan secara konsisten.
 Pemasangan security device untuk koneksi ke
public
 Adanya strategi untuk menjaga kulitas network
production dari cabang-cabang.
OVERALL
Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
Installation Management
 Terdapat prosedur dan strategi dalam aktifitas

instalasi. Misalnya dilakukan pengujian pada
environment development terlebih dahulu.
 Terdapat standard setup security yang memadai
untuk aplikasi yang diinstall (OS/400, Windows
NT, Windows 2000, SQL Databased, dll).
 Pada saat instalasi selalu dilengkapi dengan
fallback procedure / contingency plan / pilotting /
parallel run.
OVERALL

Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
Procurement & Acquisition
 Dilakukan feasilbilty study / technical review

sebelum dilakukan pembelian.
 Dilakukan tendering untuk pemakaian
produk/jasa pihak ketiga.
 Terdapat komite khusus yang akan melakukan
review setiap aktifitas pengadaan barang.
 Terdapat fungsi budget custodian.
OVERALL

Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
Contingency Plan
 Tersedia perangkat backup yang memadai berdasarkan

hasil aktifitas risk assessment sehingga investasi yang
dilakukan seimbang dengan resiko yang harus dicover .
 Terdapat jadwal untuk melakukan uji coba secara
berkala pada fasilitas backup dan dilakukan secara
konsisten dengan Berita Acara atas test.
 Adanya contingency plan procedure (BRP) yang
meliputi : panduan untuk penerapan contingency plan,
emergency procedure, recovery procedure dan
prosedur komunikasi.
 Telah dilakukan penunjukan petugas/penaggung jawab
bila terjadi kondisi ‘disaster’, misalnya ; organisasi,
petugas yang dihubungi, escalasi problem, prioritas
bisnis, proses startup dll).
 Adanya klasifikasi atas kondisi krisis, termasuk dengan
prioritas bisnis yang harus dilakukan atau dampak
minimum bisnis bila terjadi kondisi disaster.
OVERALL
Manage user-id & ip
Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
address
 Terdapat procedure pendaftaran user-id dan ip

address yang memadai serta dan menggunakan
aspek dual control.
 Terdapat audit trail untuk setiap aktifitas
pendaftaran user-id dan ip address.
OVERALL

Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
Manage network security
 Penerapan network security devices (firewall,

IDS) untuk koneksi ke pihak ketiga dan koneksi
public.
 Terdapat log / audit trail untuk network activity
dan terhadap log / audit trail ini dilakukan review
secara konsisten.
 Terdapat standard security setup yang memadai
untuk network devices.
OVERALL

Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
Project Initiation
 Adanya policy dan prosedure yang mengatur

mengenai tata cara pengembangan proyek.
 Terdapat persetujuan management atas
proposal proyek yang diajukan, proposal
mencakup diantaranya :
 Cost Benefit Analysis.
 Break Event Point Analysis
 Target Market Analysis
OVERALL

Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
Time Management
 Terdapat project plan yang menggambarkan

rencana kerja proyek dari awal hingga selesai .
 Terdapat exception report atas setiap
keterlambatan.
 Dilakukannya upaya perbaikan progres project
apabila terjadi keterlambatan.
OVERALL

Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
Resources Management
 Terdapat struktur organisasi proyek.

 Adanya standar kualifikasi untuk posisi Project
Manager.
 Setiap SDM memiliki job description.
 Penggunaan SDM telah disesuaikan dengan
standar kompetensi.
 Adanya evaluasi penggunaan resource dan
adanya action plan atas kendala yang ada.
 Adanya komitmen penugasan / prioritas sesuai
dengan kebutuhan proyek.
OVERALL

Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
Controlling & Reporting
 Terdapat management review atas setiap

tahapan proyek.
 Semua notulen meeting didokumentasikan
dengan baik.
 Terdapat laporan project status/progress report
secara berkala kepada management.
 Terdapat laporan budget dan realisasinya secara
berkala.
 Terdapat aktifitas Pre/Post Implementation
Review.
 Terdapat sign off oleh semua pihak yang
berkepentingan dengan proyek atas
implementasi yang dilakukan.
 Adanya meeting koordinasi yang rutin.
OVERALL
Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
Software
 Analisa kecukupan penerapan security feature.

 Adanya review secara periodik terhadap
penerapan security.
 Terdapat media untuk melakukan rekonsiliasi /
proofing.
 Terdapat backup strategy yang menyeluruh dan
berkualitas.
 Adanya fine tuning optimalisasi software.
 Mampu men-support business need secara
masimal.
OVERALL

Hardware & Operating
Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
System
 Tersedia policy dan prosedur setup OS termasuk

Security Setup yang lengkap dan menyeluruh dan
dikelola berdasarkan praktek terbaik internasional.
 Adanya pemisahan antara fungsi bagian yang terkait
dengan kegiatan rutin maintenance mesin (console
dengan sysadmin).
 Adanya area pemisahan antara development, UAT dan
production.
 Adanya penunjukan dan audit trail yang jelas terhadap
penggunaan UserID yang memiliki previllage yang
tinggi (QSECOFR, DATA, DBA).
 Adanya maintenance personnel access rights.
 Penggunaan dengan antivirus software yang up todate.
 Telah dilakukan penutupan asuransi atas perangkat
baik perangkat production maupun perangkat
backup/contigency.
 Penggunaan kapasitas harware secara optimal.
OVERALL
Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
Network
 Terdapat klausula non disclosure pada perjanjian kerja

sama dengan CSM & diberlakukan SLA (pinalti).
 Penerapan metode enkripsi dan mekanisme MACing
untuk transmisi sensitive data.
 Pemisahan segmen komunikasi production dengan
development.
 Penerapan Network security devices (Firewall, IDS)
untuk menyaring dan mendeteksi transmisi incoming
dari public maupun dari third party.
 Pendaftaran IP Address sumber dan tujuan transmisi
pada router Bank Niaga.
 Terdapat backup untuk jaringan komunikasi perangkat-
perangkat network (router, modem)
 Dilakukan capacity analysis periodically.
 Terdapat mekanisme penanganan problem network.
 Terdapat contingency plan / prosedur contingency.
OVERALL
Offsite Monitoring:
Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
Computer Operation
 Console Operation
 Back up Activity
 Physical Security
 Problem Handling
 Manage performance & Capacity
 Program Installation
 Manage service availability
 Manage Supporting peripherals
OVERALL
Offsite Monitoring:
Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
System Development
 Define SOR
 Feasibility studies
 System analysis & design
 Internal program development
 Manage Third Party Program Development
 System integration test
 Manual development (UIM)
 Training
 UAT
 Conversion
 System implementation / Change Management
 Procurement & acquisition
 Technical documentation
OVERALL
Offsite Monitoring:
Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
Manage Infrastructure
 Manage 3rd Party Service (Network Service Provider & Hardware Vendors)
 Capacity Analysis
 Manage Intranet Facilities
 Procurement & Acquisition
 Contingency Plan
 Installation Management
 Manage user-id & ip address
 Manage network security
OVERALL
Offsite Monitoring:
Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
Project Management
 Project Initiation
 Time Management
 Resources Management
 Controlling & Reporting
OVERALL
Nowadays Big Projects: Additional Offsite Report :
 SICS  Status Achievement
 Dual Data Center  Constrains & Action Plans
 FAPG  Project Changes (Scope, Time Frame, etc)
 Loan Origination,etc  Audit Point of View (Risk, Impact, etc)

Offsite Monitoring:
Security
Confidentiality &
Integrity
Efficiency
Effectiveness &
Compliance
Software, Hardware, &
Network
 Software
 Hardware & Operating System
 Network
 Strategic Issues:
 Major Changes to IT Architecture / IT Blue Print
that reduces or improves IT support performance

 Significant Problem

Thank You

IT Audit New Methodology For PPE 03

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IT Audit New Methodology For PPE 03

Uploaded by

Copyright:

Available Formats

System & IT Audit

The End Note: Offsite monitoring

Availability & Reliability

 Determine IT Strategic Plan

 Manage human resource

Availability & Reliability

Availability & Reliability

Availability & Reliability

Availability & Reliability

Availability & Reliability

 Terdapat IT Strategic Plan yang mampu

Note : Excellent Good Fair Poor Very Poor Not Applicable

Availability & Reliability

 Terdapat arahan IT Architecture yang mampu

Note : Excellent Good Fair Poor Very Poor Not Applicable

Availability & Reliability

 Adanya pengkomunikasian IT strategic plan, IT

Note : Excellent Good Fair Poor Very Poor Not Applicable

Availability & Reliability

 Ketersediaan human resources yang competent.

Note : Excellent Good Fair Poor Very Poor Not Applicable

Availability & Reliability

 Management selalu patuh dan memiliki

Note : Excellent Good Fair Poor Very Poor Not Applicable

Availability & Reliability

 Dilakukannya IT risk assessment yang meliputi:

Note : Excellent Good Fair Poor Very Poor Not Applicable

Availability & Reliability

 Ketersediaan IT Security yang update dan

Note : Excellent Good Fair Poor Very Poor Not Applicable

Availability & Reliability

 Penanganan 3rd party service disesuaikan

Note : Excellent Good Fair Poor Very Poor Not Applicable

Availability & Reliability

 Authority being granted to console operator are

Note : Excellent Good Fair Poor Very Poor Not Applicable

Availability & Reliability

 Back up media are stored on a locked secure

Availability & Reliability

 Access to computer room are restricted, only

Note : Excellent Good Fair Poor Very Poor Not Applicable

Availability & Reliability

 Access to computer room are restricted, only

Note : Excellent Good Fair Poor Very Poor Not Applicable

Availability & Reliability

 Adequate control on using powerful function and

Availability & Reliability

 Procedure and guidelines for maintenance are

Note : Excellent Good Fair Poor Very Poor Not Applicable

Availability & Reliability

 Dual Control in program promotion/installation

Note : Excellent Good Fair Poor Very Poor Not Applicable

Availability & Reliability

 Adanya Service Level Agreement antara

Note : Excellent Good Fair Poor Very Poor Not Applicable

Availability & Reliability

 Adanya suporting periperal yang lengkap dan

Note : Excellent Good Fair Poor Very Poor Not Applicable

Availability & Reliability

 Terdapat policy dan prosedure yang jelas mencakup

Availability & Reliability

 Adanya proses technical review yang mencakup