Objectives 1—The information security management audit/assurance review will:

 Provide management with an assessment of the effectiveness of the information

security management function
 Evaluate the scope of the information security management organization and
determine whether essential security functions are being addressed effectively

Scope—The review will focus on:

 Information Security Management—Processes associated with governance, policy,

monitoring, incident management and management of the information security
function
 Information Security Operations Management—Processes associated with the
implementation of security configurations

Objectives 2 (Application systems eg PMIS,SAP,UPCIS ,e-Board and HRMIS)

The objectives of the applications review are to:

 Provide management with an assessment and effectiveness of the fund’s policies

and procedures relating to the development, acquisition, and deployment of
software
 Identify deficiencies in internal controls which might negatively affect the various
compliance components with which the fund must comply.
 Identify control weaknesses in the processes to develop, acquire, and deploy
software that could affect the reliability, accuracy, stability, and security of the
fund’s information
 Provide management with an independent assessment of efficiency and
effectiveness of the design and operation of internal controls and operating
procedures
 Provide management with the identification of application-related issues that
require attention

Scope—The review will include the following:

 Policies and processes to control the development, acquisition, and deployment of

software across the organization
 Identification and evaluation of the design of controls
 Evaluation of control effectiveness
 Assessment of compliance with regulatory requirements
 Identification of issues requiring management attention
 {Additional scope as determined by project team}

Objectives 3—The IT continuity plan audit review will:

 Provide management with an evaluation of the IT function’s preparedness in the

event of a process disruption
 Identify issues that may limit the interim business processing and restoration of
same
Page 1 of 2
  Provide management with an independent assessment relating to the effectiveness
of the IT continuity plan and its alignment with the business continuity plan and IT
security policy

Scope—The review will focus on the IT continuity plan and its alignment with the fund
business continuity plan, policies, standards, guidelines, procedures, laws and regulations
that addresses maintaining continuous IT services. This will address:

 Development, maintenance and testing of the IT continuity plan

 Ability to provide interim IT services and the restoration of same
 Risk management and costs related to the IT continuity plan

The review relies on the existence of a business continuity plan. Policy, standards, guidelines
and implementation of the business continuity plan is outside the scope of this review.

Objectives 4—The primary objectives of the biometric audit review are

 Provide management with an independent assessment of the effectiveness of the

architecture and security of the deployed biometric systems and their proper alignment
with the funds’s IT security policies, information systems architecture, information asset
criticality and industry good practices.
 Provide management with an evaluation of the IT function’s preparedness in the event
of an intrusion or major failure of one or more biometric systems.
 Identify issues that may impact the security of the funds’s physical and logical security
stance

Scope—The review will focus on the acquisition, architecture, rollout and security of
biometric technologies, both the deployed and planned, including, but not restricted to,
policies, standards and procedures, as well as resilience to major outages, intrusions or
other failures.

Page 2 of 2