IT AUDIT

An Overview
Audit & IT AUDIT

The general definition of an audit is an evaluation of a person, organization,

system, process, enterprise, project or product. Audits are performed to ascertain
the validity and reliability of information; also to provide an assessment of a
system's internal control.

The goal of an audit is to express an opinion on the person / organization/system

(etc) in question, under evaluation based on work done on a test basis.

Due to practical constraints, an audit seeks to provide only reasonable assurance

that the statements are free from material error. Hence, statistical sampling is
often adopted in audits. In the case of financial audits, a set of financial statements
are said to be true and fair when they are free of material misstatements - a concept
influenced by both quantitative and qualitative factors.

Audit is a vital part of Accounting. Traditionally, audits were mainly associated

with gaining information about financial systems and the financial records of a
company or a business (see financial audit). However, recent auditing has begun to
include other information about the system, such as information about security
risks, information systems performance (beyond financial systems), and
environmental performance. As a result, there are now professions conducting
security audits, IS audits, and environmental audits.

The Definition for Auditing and Assurance Standard (AAS) 1 by ICAI "Auditing
is the independent examination of financial information of any entity, whether
profit oriented or not, and irrespective of its size or legal form, when such an
examination is conducted with a view it expressing an opinion thereon"
Purpose of Information System Audit:

Information system audit is often described as "the process of collecting and

evaluating evidence to determine whether an information system safeguards
assets, maintains data integrity, achieves organizational goals effectively and
consumes resources efficiently." The audit process is a planned process which is
carried out on test-basis.

The purpose of IS audit is to review and provide feedback, assurances and

suggestions. These concerns can be grouped under three areas which are related to
the systems:

1. Availability:
Will the information systems on which the business is heavily dependent be
available for the business at all times when required? Are the systems well
protected against all types of losses and disasters?

2. Confidentiality:
Will the information in the systems be disclosed only to those who have a need to
see and use it and not to anyone else?

3. Integrity:
Will the information provided by the system always be accurate, reliable, and
timely? What measures are available to ensure that no unauthorized modification
can be made to the data or the software in the system?
Elements of IS Audit
An information system is not just a computer. Today's information systems are
complex and have many components that piece together to make a business
solution. Assurances about an information system can be obtained only if all the
components are evaluated and secured. The proverbial weakest link is the total
strength of the chain. The major elements of IS audit can be broadly classified:
1. Physical and environmental reviewThis includes physical security,
power supply, air conditioning, humidity control and other environmental
factors.

2. System administration reviewThis includes security review of the

operating systems, database management systems, all system administration
procedures and compliance.
3. Application software reviewThe business application could be payroll,
invoicing, a web-based customer order processing system or an enterprise
resource planning system that actually runs the business. Review of such
application software includes access control and authorizations, validations,
error and exception handling, business process flows within the application
software and complementary manual controls and procedures. Additionally,
a review of the system development lifecycle should be completed.

4. Network security reviewReview of internal and external connections to

the system, perimeter security, firewall review, router access control lists,
port scanning and intrusion detection are some typical areas of coverage.

5. Business continuity reviewThis includes existence and maintenance of

fault tolerant and redundant hardware, backup procedures and storage, and
documented and tested disaster recovery/business continuity plan.
6. Data integrity reviewThe purpose of this is scrutiny of live data to verify
adequacy of controls and impact of weaknesses, as noticed from any of the
above reviews. Such substantive testing can be done using generalized audit
software (e.g., computer assisted audit techniques).
IT Audit process
The following are basic steps in performing the Information Technology Audit
Process

1. Planning (Studying and Evaluating Controls)

2. Testing and Evaluating Controls(Using various Checklists )
3. Reporting
4. Follow-up

Planning the IT Audit

Planning the IT audit involves two major steps.

The first step is to gather information and do some planning

The second step is to gain an understanding of the existing internal control
structure.

In a risk-based approach, IT auditors are relying on internal and operational

controls as well as the knowledge of the company or the business. This type of
risk assessment decision can help relate the cost-benefit analysis of the control to
the known risk. In the Gathering Information step the IT auditor needs to
identify the following items:

1. Knowledge of business and industry

2. Prior years audit results
3. Recent financial information
4. Regulatory statutes
5. Inherent risk assessments

In the Gain an Understanding of the Existing Internal Control Structure step, the
IT auditor needs to identify five other areas/items:

Control environment
Control procedures
Detection risk assessment
Control risk assessment
Equate total risk
Gathering Audit Evidence

1. Analytical procedures: Comparing whats on the clients books to whats

expected to be on the books.

2. Confirmations: Asking for independent verification supporting

management declaration.

3. Inspection of records: Asking the company for relevant documents in

support of management declaration.

4. Observation: Watching the clients employees do their jobs to obtain an

understanding of how each job is done.

5. Recalculation: Verifying the mathematical accuracy of your clients

computations.

6. Reperformance: Doing the clients accounting or internal control procedure

to make sure the company is following its own rules.

7. Scanning: Looking over client transactions and taking screen shots

8. Client tour: Checking to make sure all assets shown on the clients balance
sheet exist.
IT audit control reviews (*Details in later part of the handout)

After gathering all the evidence the IT auditor will review it to determine if the
operations audited are well controlled and effective.

The audit deliverable

So whats included in the audit documentation and what does the IT auditor need
to do once their audit is finished. Heres the laundry list of what should be
included in your audit documentation:

Planning and preparation of the audit scope and objectives

Description on the scoped audit area
Audit steps performed and audit evidence gathered
Whether services of other auditors and experts were used and their
contributions
Audit findings, conclusions and recommendations
Audit documentation relation with document identification and dates
(your cross-reference of evidence to audit step)
A copy of the report issued as a result of the audit work

Information technology controls OR IT CONTROLS

Information technology controls (or IT controls) are specific activities

performed by persons or systems designed to ensure that business objectives are
met. They are a subset of an enterprise's internal control.

IT control objectives relate to the confidentiality, integrity, and availability of data

and the overall management of the IT function of the business enterprise.

IT controls are often described in two categories:

IT general controls ITGC and
IT application controls.
IT General Controls (ITGC)

ITGC represent the foundation of the IT control structure. They help ensure the
reliability of data generated by IT systems and support the assertion that systems
operate as intended and that output is reliable. ITGC usually include the following
types of controls:

1. Control Environment, or those controls designed to shape the corporate

culture or "tone at the top."
2. Change management procedures - controls designed to ensure changes
meet business requirements and are authorized.
3. Source code/document version control procedures - controls designed to
protect the integrity of program code
4. Software development life cycle standards - controls designed to ensure
IT projects are effectively managed.
5. Logical Access policies, standards and processes - controls designed to
manage access based on business need.
6. Incident management policies and procedures - controls designed to
address operational processing errors.
7. Problem management policies and procedures - controls designed to
identify and address the root cause of incidents.
8. Technical support policies and procedures - policies to help users perform
more efficiently and report problems.
9. Hardware/software configuration, installation, testing, management
standards, policies and procedures.
10. Disaster recovery/backup and recovery procedures, to enable continued
processing despite adverse conditions.
11. Physical Security - controls to ensure the physical security of information
technology from individuals and from environmental risks
IT Application Controls

IT application or program controls are fully-automated (i.e., performed

automatically by the systems) designed to ensure the complete and accurate
processing of data, from input through output. These controls vary based on the
business purpose of the specific application. These controls may also help ensure
the privacy and security of data transmitted between applications. IT application
controls may include:

1. Completeness checks - controls that ensure all records were processed from
initiation to completion.
2. Validity checks - controls that ensure only valid data is input or processed.
3. Identification - controls that ensure all users are uniquely and indisputably
identified.
4. Authentication - controls that provide an authentication mechanism in the
application system.
5. Authorization - controls that ensure only approved business users have
access to the application system.
6. Input controls - controls that ensure data integrity fed from upstream
sources into the application system.

IT Controls must be put according to these conceptual categories:

Preventive controls, on the other hand, are designed to keep errors or

irregularities from occurring in the first place.

Detective controls are designed to detect errors or irregularities that may

have occurred.

Corrective controls are designed to correct errors or irregularities that have

been detected.
THE U.S. CYBER CONSEQUENCES UNIT (US CCU) CYBER
SECURITY CHECKLIST
Another view on Controls SANS [SysAdmin, Audit, Network, Security]
Was established in 1989 as a cooperative research and education organization. Its
programs now reach more than 350,000 security professionals, auditors, system
administrators, network administrators, chief information security officers, and
CIOs who share the lessons they are learning and jointly find solutions to the
challenges they face. At the heart of SANS are the many security practitioners in
government agencies, corporations, and universities around the world who invest
hundreds of hours each year in research and teaching to help the entire information
security community.

For further reference visit http://www.sans.org

1. Inventory of Authorized and Unauthorized Devices

2. Inventory of Authorized and Unauthorized Software
3. Secure Configurations for Hardware and Software on Laptops,
Workstations, and Servers
4. Secure Configurations for Network Devices such as Firewalls, Routers, and
Switches
5. Boundary Defense
6. Maintenance, Monitoring, and Analysis of Security Audit Logs
7. Application Software Security
8. Controlled Use of Administrative Privileges
9. Controlled Access Based on Need to Know
10.Continuous Vulnerability Assessment and Remediation
11.Account Monitoring and Control
12.Malware Defenses
13.Limitation and Control of Network Ports, Protocols, and Services
14.Wireless Device Control
15.Data Loss Prevention
16.Secure Network Engineering
17.Penetration Tests and Red Team Exercises
18.Incident Response Capability
19.Data Recovery Capability
20.Security Skills Assessment and Appropriate Training to Fill Gaps
IT Audit Approach

1. Planning

Plan the audit, having regard to the particular objectives and scope of the audit
under consideration, deciding where to concentrate their work and on the
allocation of resources.

2. Overview of auditee organizations

Undertake or update an annual overview of the circumstances of the audited body

and evaluate the strength of the control environment. The auditors overview and
evaluation should ensure that the audit is tailored to the circumstances of the
audited body and identify areas meriting particular attention. It should also
facilitate the effective planning of audit work before any detailed checks are
undertaken.

3. Control risk analysis

Take a broad and analytical approach to the work based on the auditors
assessment of control risk and the risk of error in the financial statements.

4. Integrated approach

Have regard to the principle that every individual part of the audit should be
viewed in the context of the whole, or integrated audit. No one part stands alone
and all contribute to the assurance needed to give the auditor a basis for providing
a certificate, opinion and/or report on completion of the audit.

5. Attitudinal approach

Audit work should display a constructive attitude wherever possible. The aim must
be to assist audited bodies and their officers, but auditors must not hesitate to
pursue conclusions even to the point of expressing qualified opinion and its
inclusion in the Comptroller and Auditor-Generals reports.
6. Liaison with the internal audit

Establish effective co-ordination with internal control and internal audit or similar
review units and seek to place reliance on the work of such units wherever
possible.

7. Effective transmission of good practice

Ensure that knowledge of good practice is transferred effectively from one audited
body to another.

8. Professional approach

Carry out audit in a professional manner without undue delay.

9. Reporting on corrective actions

Report to the audited body concerned of the nature and grounds for any concerns
and to encourage them to adopt any corrective action that may be required.

10. Effective follow-up action

Have in place effective reporting and follow-up arrangements to ensure that the
audited body has properly considered any matters identified during the current or
previous audits and, where appropriate, has implemented agreed actions.
IT Audit Checklists

Checklist is a list of features and functions which we can use as baseline for
testing. Using the checklist we can know what the status of each function are and
features like whether its implemented.

ORGANISATION AND ADMINISTRATION

Remarks for each of the question is to be recorded as yes or no

Audit Objective

Does the organization of data processing provide for adequate segregation of

duties?

Audit Procedures

Review the company organization chart, and the data processing department
organization chart.

1 Is there a separate EDP department within the Company?

2 Is there a steering committee and their duties and responsibilities for managing
MIS are clearly defined?
3 Has the Company developed an IT strategy linked with the long and medium
term plans?
4 Is the EDP Department independent of the user department and in particular the
accounting department?
5 Are there written job descriptions for all jobs within EDP department and these
job descriptions are communicated to designated employees?
6 Are EDP personnel prohibited from having incompatible responsibilities or
duties in user departments and vice versa?
7 Are there written specifications for all jobs in the EDP Department?
8 Are the following functions within the EDP Department performed by separate
sections?
System design
Application programming
Computer operations
Database administration
Systems programming
 Data entry and control?

9 Are the data processing personnel prohibited from duties relating to?
Initiating transactions?
Recording of transactions?
Master file changes?
Correction of errors?
10 Are all processing prescheduled and authorized by appropriate personnel?
11 Are there procedures to evaluate and establish who has access to the data in the
database?
12 Are the EDP personnel adequately trained?
13 Are systems analysts programmers denied access to the computer room and
limited in their operation of the computer?
14 Do any of the computer operators have programming knowledge?
15 Are operators barred from making changes to programs and from creating or
amending data before, during, or after processing?
16 Is the custody of assets restricted to personnel outside the EDP department?
17 Is strategic data processing plan developed by the company for the achievement
of long-term business Plan?
18 Are there any key personnel within IT department whose absence can leave the
company within limited expertise?
19 Are there any key personnel who are being over - relied?
20 Is EDP audit being carried by internal audit or an external consultant to ensure
compliance of policies and controls established by management?

PROGRAM MAINTENANCE AND SYSTEM DEVELOPMENT

Audit Objective

Development and changes to programs are authorized, tested, and approved, prior
to being placed in production.

Program Maintenance

Audit Procedures

Review details of the program library structure, and note controls which allow only
Authorized individuals to access each library.

Note the procedures used to amend programs.

Obtain an understanding of any program library management software used.

1 Are there written standards for program maintenance?

2 Are these standards adhered to and enforced?
3 Are these standards reviewed regularly and approved?
4 Are there procedures to ensure that all programs required for maintenance are
kept in a separate program test library?
5 Are programmers denied access to all libraries other than the test library?
6 Are changes to programs initiated by written request from user department and
approved?
7 Are changes initiated by Data Processing Department communicated to users and
approved by them?
8 Are there adequate controls over the transfer of programs from production into
the programmer's test library?
9 Are all systems developed or changes to existing system tested according to user
approved test plans and standards?
10 Are tests performed for system acceptance and test data documented?
11 Are transfers from the development library to the production library carried out
by persons independent of the programmers?
12 Do procedures ensure that no such transfer can take place without the change
having been properly tested and approved?
13 Is a report of program transfers into production reviewed on a daily basis by a
senior official to ensure only authorised transfers have been made?
14 Are all program changes properly documented?
15 Are all changed programs immediately backed up?
16 Is a copy of the previous version of the program retained (for use in the event of
problems arising with the amended version)?
17 Are there standards for emergency changes to be made to application programs?
18 Are there adequate controls over program recompilation?
19 Are all major amendments notified to internal audit for comment?
20 Are there adequate controls over authorization, implementation, approval and
documentation of changes to operating systems?

System Development

1 Are there formalized standards for system development life cycle procedure?
2 Do they require authorization at the various stages of development feasibility
study, system specification, testing, parallel running, post implementation review,
etc.? Do the standards provide a framework for the development of controlled
applications?
4 Are standards regularly reviewed and updated?
5 Do the adequate system documentation exist for:
Programmers to maintain and modify programs?
Users to satisfactorily operate the system?
Operators to run the system?
6 Have the internal audit department been involved in the design stage to ensure
adequate controls exist?
7 Testing of programs.
8 Procedures for authorizing new applications to production - see Program
Maintenance.
9 Are user and data processing personnel adequately trained to use the new
applications?
10 Is system implementation properly planned and implemented by either parallel
run or pilot run?
11 Are any differences and deficiencies during the implementation phase noted and
properly resolved?
12 Are there adequate controls over the setting up of the standing data and opening
balances?
13 Is a post implementation review carried out?
14 Are user manuals prepared for all new systems developed and revised for
subsequent changes?
15 Is there a Quality Assurance Function to verify the integrity and acceptance of
applications developed?

Purchased Software

1 Are there procedures addressing controls over selection, testing and acceptance
of packaged Softwares?
2 Is adequate documentation maintained for all softwares purchased?
3 Are vendor warranties (if any) still in force?
4 Is the software purchased, held in escrow?
5 Are backup copies of user/operations manual kept off-site?

ACCESS TO DATA FILES

Audit Objective
Is access to data files restricted to authorized users and programs?

Access to Data

1 Is there any formal written data security policy? Consider whether the policy
addresses data ownership, confidentiality of information, and use of password.
2 Is the security policy communicated to individuals in the organization?
3 Is physical access to off line data files controlled in:

-site library?
-site library?
4 Does the company employ a full-time librarian who is independent of the
operators and programmers?
5 Are libraries locked during the absence of the librarian?
6 Are requests for on-line access to off line files?
7 Are requests checked with the actual files issued and initialed by the librarian?
8 Are sensitive applications e.g. payroll, maintained on machines in physically
restricted areas?
9 Are encryption techniques used to protect against unauthorized disclosure or
undetected modification
of sensitive data?
10 Are returns followed up and non returns investigated and adequately
documented?

Computer Processing

11 Does a scheduled system exist for execution of programs?

12 Is there a comparison between actual and scheduled processing?
13 Are non-scheduled jobs approved prior to being run?
14 Is the use of utility programs controlled (in particular those that can change
executable code or data)?
15 Are program tests restricted to copies of live files?
16 Is access to computer room restricted to only authorised personnel?
17 Are internal and external labels used on files?
18 Are overrides of system checks by operators controlled?
19 Are exception reports for such overrides pointed and reviewed by appropriate
personnel?
20 Are sufficient operating instructions exist covering procedures to be followed at
operation?

Database

21 Does the position of database administrator (DBA) exist? If not note who is
responsible for:
Defining user and program access
Mediating between users who share data
Maintaining the integrity of the database
Setting standards of backup and recovery

22 Is the DBA restricted from:

Having control over company assets
Initiating and recording transactions
23 Are logs maintained of the use of utilities, changes to access methods, etc.?
24 If so, are these independently reviewed?
25 Does the DBMS have the facility to abort jobs when two users, with the same
priority, are locked out from the same chain of data?
26 Is integrity checking programs run periodically for checking the accuracy and
correctness of linkages between records?

Password and other online controls

Audit Procedure

(i) Note procedures for issuing, amending, and deleting passwords.

(ii) Obtain an understanding of any access control software used.

1 Do formal procedures exist for the issue and subsequent control of passwords?
Is there any proper password syntax in-force i.e. min. 5 and max. 8 characters and
include alphanumeric characters.
3 Are there satisfactory procedures for reissuing passwords to users who have
forgotten theirs?

4 Are procedures in place to ensure the compliance of removal of terminated

employee passwords?

5 Are system access compatibilities properly changed with regard to personnel

status change?

6 Are individual job responsibilities considered when granting users access

privileges?

7 Is each user allocated a unique password and user account?

8 Are there procedures in place to ensure forced change of password after every 30
days?

9 Is application level security violations logged?

10 Do standards and procedures exist for follow up of security violations?

11 Do formal and documented procedures exist for use and monitoring of dial up
access facility?

12 Is use made of passwords to restrict access to specific files?

13 Do terminals automatically log off after a set period?

14 Is there a limit of the number of invalid passwords before the terminal closes
down?

15 Are there any administrative regulations limiting physical access to terminals?

16 Are invalid password attempts reported to user department managers?

17 Are restrictions placed on which applications terminals can access?

18 Are keys, locks, cards or other physical devises used to restrict access to only
authorized user?
APPLICATION CONTROLS

Input

Audit Objective
Do controls provide reasonable assurance that for each transaction type, input is
authorized, complete and accurate, and that errors are promptly corrected?

1 Are all transactions properly authorized before being processed by computers?

2 Are all batches of transactions authorized?
3 Do controls ensure unauthorized batches or transactions are prevented from
being accepted i.e. they are detected?
4 Is significant standing data input verified against the master file?
5 Is maximum use made of edit checking e.g. check digits, range and feasibility
checks, limit tests, etc.?
6 Are there procedures to ensure all vouchers have been processed e.g. batch totals,
document counts, sequence reports, etc.?
7 Are there procedures established to ensure that transactions or batches are not
lost, duplicated or improperly changed?
8 Are all errors reported for checking and correction? 9 Are errors returned to the
user department for correction?
10 Do procedures ensure these are resubmitted for processing?
11 Is an error log maintained and reviewed to identify recurring errors?
12 Are persons responsible for data preparation and data entry independent of the
output checking and balancing process?
13 Are persons responsible for data entry prevented from amending master file
data?

Output and Processing

Audit Objective
The controls provide reasonable assurance that transactions are properly processed
by the computer and output (hard copy or other) is complete and accurate, and that
calculated items have been accurately computed:

1 Is there any formal written output distribution policy?

2 Are hard copy reports:
Headed
Pages numbered
Dated
Identified by report/program number
Adequately totalled/control totalled
Designed to give an End of Report message, if not obvious?

3 Are significant reports distributed to only authorised personnel in line with an

approved distribution list?
4 Are there formal procedures for checking, filing and retention of reports?
5 Where output from one system is input to another, are run to run totals, or similar
checks, used to ensure no data is lost or corrupted?
6 Are there adequate controls over forms that have monetary value?
7 Is maximum use made of programmed checks on limits, ranges reasonableness,
etc. and items that are detected reported for investigation?
8 Where calculations can be 'forced' i.e. bypass a programmed check, are such
items reported for investigation?
9 Where errors in processing are detected is there a formal procedure for reporting
and investigation?
10 Is reconciliation between input, output and brought forward figures carried out
and differences investigated?
11 Are suspense accounts checked and cleared on a timely basis?
12 Are key exception reports reviewed and acted upon on a timely basis?

Viruses

1 Is there any formal written anti-virus policy ?

2 Is the policy effectively communicated to individuals in the organization ?
3 Is there a list of approved software and suppliers?
4 Is only authorized software installed on microcomputers?
5 Is there a master library of such software ?
6 Are directories periodically reviewed for suspicious files?
7 Are files on the system regularly checked for size changes?
8 Is anti-virus software installed on all microcomputers?
9 Is anti-virus software regularly updated for new virus definitions?
10 Are suspicious files quarantined and deleted from the terminals hard drive and
network drive?
11 Are diskettes formatted before re-use?
12 Have procedures been developed to restrict or oversee the transfer of data
between machines?
13 Is staff prohibited from sharing machines?
14 Is software reloaded from the master diskettes after machine maintenance?
15 Has all staff been advised of the virus prevention procedures?
16 Are downloads from internet controlled by locking the hard-drive and routing it
through network drive to prevent the virus (if any) from spreading?

INTERNET

1 Is there any proper policy regarding the use of internet by the employees?
2 Does the policy identify the specific assets that the firewall is intended to protect
and the objectives of that protection?
3 Does the policy support the legitimate use and flow of data and information?
4 Is information passing through firewall is properly monitored?
5 Determine whether management approval of the policy has been sought and
granted and the date of the most recent review of the policy by management.
6 Is the policy properly communicated to the users and awareness is maintained?
7 Have the company employed a Firewall Administrator?
8 Is firewall configured as per security policy?
9 Is URL screening being performed by Firewall?
10 Is anti-virus inspection enabled?
11 Are packets screened for the presence of prohibited words? If so, determine
how the list of words is administered and maintained.
12 Are access logs regularly reviewed and any action is taken on questionable
entries?

CONTINUITY OF OPERATIONS A PHYSICAL PROTECTION

1 Fire Hazard

Fire resistance:
Building materials fire resistant
Wall and floor coverings non-combustible
Separation from hazardous areas (e.g. fire doors) and
Fire detection:
Smoke / Heat-rise detectors
Detectors located on ceiling and under floor
 Detectors located in all key EDP areas
Linked to fire alarm system Fire extinction:
Halon gas system (for key EDP areas)
Automatic sprinkler system
Portable CO2, extinguishers (electrical fires)
Ease of access for fire services Fire emergency:
Fire instructions clearly posted
Fire alarm buttons clearly visible
Emergency power-off procedures posted
Evacuation plan, with assignment of responsibilities Fire practices:
Regular fire drill and training
Regular inspection/testing of all equipment

2 Water Damage

EDP area located above ground level Building weather protected (eg. Storms,
water leaks) Computer room drainage facilities

3 Air Conditioning
Monitoring of temperature and humidity in EDP area Heat, fire and access
protection of sensitive air conditioning parts (eg. cooling tower) Air intakes located
to avoid undesirable pollution Back-up air conditioning equipment

4 Power Supply
Reliable local power supply Separate computer power supply Line voltage
monitored Power supply regulated (For voltage fluctuation) Uninterrupted power
supply (eg. Battery system) available Alternative power supply (eg. Generator)
Emergency lighting system
5 Communications Network
Physical protection of communications lines modems, multiplexors and processors
Location of communication equipment separate from main EDP equipment Back-
up and dial-up lines for direct lines.

6 Machine Room Layout

Printers, plotters located in separate area Printout preparation (eg. bursting) located
in separate area Tape/Disk library in separate area Machine room kept tidy
Practical location of security devices Emergency power off switches Alarms
Extinguishers Environment monitoring equipment
B ACCESS CONTROL

1 Entrance Routes (EDP areas):

No unnecessary entrances to the computer room Non-essential doors always shut
and locked to the outside (eg. Fire exits)Air vent and daylight access location
protected Use of all open doors controlled

2 Access Control:
Access restricted to selected employees Prior approval required for all other
employees Entrance door controlled by:
Screening by a guard
Locks/combinations
Electronic badge/key
Other (specify)
Positive identification of all employees (eg. identification card) All unknown
personnel challenged
Verification of all items taken into and out of the computer room Access controlled
on 24 hours basis including weekends (e.g. automatic control mechanism) Locks,
combinations, and badge codes changed periodically is access to copies of the
documentation kept in a secure location?

3 Visitor Control :
Positive identification always required Temporary badges issued, controlled and
returned on departure All visits logged in and out Visitors accompanied and
observed at all times .

4 Terminal Security:
All terminals located in secure areas Alarm system used to control microcomputers
from being disconnected or moved from its location. Sensitive applications e.g.
payroll, maintained on machines in physically restricted area. Terminal keys/locks
used Passwords changed regularly Identification labels been placed on each
terminal.

5 General Security
Waste regularly removed from EDP area and sensitive data shredded Window and
door alarm system Closed circuit television monitoring

C PERSONNEL POLICIES

1 New employees recruited according to job description and job specification

2 Employee identity cards issued
3 Performance evaluation and regular counseling
4 Continuing education program
5 Training in security, privacy and recovery procedures
6 All functions covered by cross training
7 Critical jobs rotated periodically (e.g. operators, program maintenance)
8 Clean desk policy enforced
9 Fidelity insurance for key personnel
10 Contract service personnel vetted (e.g. cleaners)

D INSURANCE

1 Does adequate insurance exist to cover:

Equipment?
Software and documentation?
Storage media?
Replacement / re-creation cost?
Loss of data/assets (eg. Accounts receivable)?
Business loss or interruption (business criticalsystems)?
2 Is adequate consideration given to cover additional cost of working and
consequential losses?

E BACK-UP PROCEDURES

1 Equipment (computer and ancillary):

Regular preventive maintenance
Reliable manufacturer service
Arrangements for back-up installation
Formal written agreement
Compatibility regularly checked
Sufficient computer time available at back-up
Testing at back-up regularly performed

2 Outside Suppliers (non continuance / disaster):

(eg. suppliers of equipment, computer time,software)
Alternative sources of supply / maintenance / service available
Adequate and secure documentation/back-up of
data and programs
Are backup copies of system documentation kept in
 a secure location?

3 Off-site Storage:
Secure separate location
Adequate physical protection (see section A)
Log maintained of off-site materials
Off-site Inventory regularly reviewed
File transportation under adequate physical
protection
Back-up files periodically tested

4 Data Files:
File criticality and retention procedure regularly reviewed
Tape
At least three generations of important tape files retained
Copies of all updating transactions for above retained
At least one generation and all necessary updating
transactions in off-site storage
Disc
Checkpoint/restart procedures provided for
Audit trail (log file) of transactions updating on-line
files (data base) maintained
Regular tape dumps of all disc files stored off-site
Audit trail (log file) regularly dumped and stored off-site

5 Software:
Copies of following maintained at off-site storage:
Production application programs
Major programs under development
System and program documentation
Operating procedures
Operation and system software
All copies regularly updated
Back-up copies regularly tested

6 Operations
 Back-up procedure manual
Priority assignments for all applications
Procedures for restoring data files and software
Procedures for back-up installation

F DISASTER RECOVERY PLANS

1 Is a comprehensive contingency plan developed, documented and periodically

tested to ensure continuity in data processing services?
2 Does the contingency plan provide for recovery and extended processing of
critical applications in the event of catastrophic disaster?
3 Has any Business Impact Analysis carried out by the company?
3 Are all recovery plans approved and tested to ensure their adequacy in the event
of disaster?
4 Communicated to all management and personnel concerned
5 Critical processing priorities identified (eg. Significant accounting applications)
6 Are disaster recovery teams established to support disaster recovery plan?
7 Are responsibilities of individuals within disaster recovery team defined and time
allocated for completion of their task?
8 Operations procedures for use of equipment and software back-up
9 Has the company developed and implemented adequate plan maintenance
procedures?
10 Are priorities set for the development of critical systems?
11 Does a hardware maintenance contract exist with a reputable supplier?

12 Does the recovery plan ensure, in the event of failure:

No loss of data received but not processed
No reprocessing of data already processed
Files not corrupted by partially completed processing
13 Are recovery plans regularly tested?