Scribd Logo
Upload

Welcome to Scribd!

  • TSRS ML PGN 2009 With Comments

    Uploaded by

    maharani_nurvlida
    34 views4 pages
    The document contains recommendations from an audit of PT Perusahaan Gas Negara regarding procedures for monitoring program changes, logical access, password security settings, and backup/recovery. It notes the company lacks formal processes in these areas and recommends developing written procedures and monitoring activities to reduce risks of unauthorized access or changes. Management responded that they will review procedures to address the recommendations.

    Original Description:

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    DOC, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document contains recommendations from an audit of PT Perusahaan Gas Negara regarding procedures for monitoring program changes, logical access, password security settings, and backup/recovery. It notes the company lacks formal processes in these areas and recommends developing written procedures and monitoring activities to reduce risks of unauthorized access or changes. Management responded that they will review procedures to address the recommendations.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as doc, pdf, or txt
    34 views4 pages

    TSRS ML PGN 2009 With Comments

    Uploaded by

    maharani_nurvlida
    The document contains recommendations from an audit of PT Perusahaan Gas Negara regarding procedures for monitoring program changes, logical access, password security settings, and backup/recovery. It notes the company lacks formal processes in these areas and recommends developing written procedures and monitoring activities to reduce risks of unauthorized access or changes. Management responded that they will review procedures to address the recommendations.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as doc, pdf, or txt
    of 4

    PT Perusahaan Gas Negara

    December 31, 2009

    1. Procedure for program change monitoring process should be


    developed and formalized

    Observation
    Based on our observation and discussion, we noted that the Company has
    not developed formal procedure regarding program changes monitoring.
    Thus, there is no periodic monitoring being performed on changes to
    Oracle Financials application to detect unauthorized or unapproved
    deployment to production environment.

    Risk
    Lack of formal procedures related to program change monitoring would
    increase the risk of an unauthorized or unapproved changes is promoted
    to the production environment

    Recommendation
    The Company should develop a periodic procedure for monitoring
    changes in Oracle Financials application and the process should be
    documented appropriately. Monitoring of program changes is important in
    order to ensure that all changes made to Oracle Financials application met
    user and business requirements

    Management Comments

    We will review the Operating Procedures and Working Instructions, which


    already exists to accommodate the recommendations are to be proposed
    to the OPB division this year.
    PT Perusahaan Gas Negara
    December 31, 2009

    2. Procedure for logical access monitoring process should be


    developed and formalized

    Observation
    Based on our observation and discussion, we noted that the Company has
    not developed formal procedure regarding the logical access process
    monitoring. Thus, there is no periodic monitoring being performed on
    access to Oracle Financials application to detect unauthorized or dormant
    user accounts

    Risk
    The absence of periodic review and monitoring over logical access
    process may increase the risk of unauthorized and dormant user accounts
    still active in the system and unauthorized access to the system

    Recommendation
    We recommend the Company to develop formal procedure for logical
    access process monitoring. A strong monitoring of Logical Access process
    in Oracle Financials application should be performed in regular basis and
    the result should be documented appropriately.

    Management Comments

    We will review the Operating Procedures for Monitoring Logical Access to


    accommodate the recommendations are to be proposed to the OPB
    division this year.
    PT Perusahaan Gas Negara
    December 31, 2009

    3. Windows 2003 Server Operating System parameters should be


    tightened

    Observation
    We noted that the O/S parameter settings were configured as follows:

    • LockoutDuration : 30
    • ResetLockoutCount : 30
    • Enforce password history : 0 passwords
    • Password complexity : Disabled

    Risk
    Weak password controls (parameters) increase the risk of unauthorized
    access to the system.

    Recommendation
    We recommend the Company to enhance the password security setting to
    the following:

    • LockoutDuration : should be set to 0, that indicates that it requires the


    administrator to manually unlock the user.
    • ResetLockoutCount : should be set to 60 minutes.
    • Enforce password history : should be set to 4 passwords
    • Password complexity : should be set to Enabled.

    Management Comments

    We note this is improvement from the past audit result, we scheduled for
    change in production environment.
    PT Perusahaan Gas Negara
    December 31, 2009

    4. Procedures for backup and recovery should be improved and


    formalized

    Observation
    We noted that the backup is performed on a regular basis; however, we
    noted that the backup and recovery procedure has not been formalized to
    ensure that backup and recovery have been performed as standard.

    Risk
    Without formal procedure of backup and recovery there is no assurance
    that the data was backup and able to be recovered appropriately based on
    Company’s standard.

    Recommendation
    We recommend the Company to improve and formalized the backup and
    recovery procedure. The procedure should be comprehensive and at least
    include:
    1. Identification of vital data that require backup (copies of data and
    program files as well as key system resources), its storage and
    recovery
    2. Off-site backup storage (backup copies should be maintained in a
    secure, environmentally controlled off-site location and adequate
    physical security)
    3. Test of backup copies through regular recovery procedures
    4. Periodic inventory review of all backup tapes/media
    5. Documentation of all backup and recovery activities to enable review

    Management Response

    We will improve backup procedure and formalized

    You might also like