Professional Documents
Culture Documents
Findings and Recommendations
Findings and Recommendations
Findings and Recommendations
Access Controls
However, the company lacks in some other factors including both of the physical security
and logical access controls which we considered crucial for the company’s system function. We
highly advised that the company should maintain written procedures relating to controls over the
physical security of the computer equipment, and to use physical access devices (e.g. key card,
biometrics system, etc.) to restrict computer room entrance. Utilize procedures and devices like
water detectors and humidity controls and an uninterruptible power supply (UPS), diesel or gas
generators, or power generators to secure sensitive equipment and storage media from the risk
of environmental damage.
The company satisfactorily passed their program changed controls as they practice
authorization and approval procedures, audit trail of the requests, program testing and
segregation of duties.
Similar to the downside of their access control is that the company does not maintain
procedures for controlling program changes through IT management and programming
personnel, which they should do otherwise as advised.
System Development and Acquisition Controls
The company maintains general operational documentation relating to the system start
up procedures, back up assignments, emergency procedures and the system shutdown
procedures that the operation staff is responsible for.
The company secures critical files and programs regularly by copying them to tapes or
cartridges to establish a generation of files for audit trail purposes and verifies appropriate
backup files by taking periodic inventory.
But in an increased potential for disruption, an organization also must monitor for issues
that could interrupt or permanently end the relationship with an outsourced provider. They
include financial or workplace problems at the outsourced provider, geopolitical instability,
natural disasters or changes in economic circumstances. Organizations thus need to consider
such potentials and devise strategies on how to cope, adding layers of complexity to their
business continuity and disaster recovery plans.