Scribd Logo
Upload

Welcome to Scribd!

  • 9 views

    TIB Questionnaire

    Uploaded by

    Rustom Jr Gaoiran Soliven
    Trinity Insurance Brokers is requesting information about its IT general controls and security management policies and procedures. The respondent, Angel Linchangco, provides responses to questions about the applications used by Trinity, database programs, security policies and procedures, internal organization of the IT department, access control, remote access, network access, administrative privileges, and vulnerability management. Linchangco confirms that some policies and processes have remained the same since last year while others have been updated.

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    TIB Questionnaire

    Uploaded by

    Rustom Jr Gaoiran Soliven
    9 views35 pages
    Trinity Insurance Brokers is requesting information about its IT general controls and security management policies and procedures. The respondent, Angel Linchangco, provides responses to questions about the applications used by Trinity, database programs, security policies and procedures, internal organization of the IT department, access control, remote access, network access, administrative privileges, and vulnerability management. Linchangco confirms that some policies and processes have remained the same since last year while others have been updated.

    Original Description:

    Original Title

    TIB Questionnaire (2)

    Copyright

    © © All Rights Reserved

    Available Formats

    XLSX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Trinity Insurance Brokers is requesting information about its IT general controls and security management policies and procedures. The respondent, Angel Linchangco, provides responses to questions about the applications used by Trinity, database programs, security policies and procedures, internal organization of the IT department, access control, remote access, network access, administrative privileges, and vulnerability management. Linchangco confirms that some policies and processes have remained the same since last year while others have been updated.

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as xlsx, pdf, or txt
    9 views35 pages

    TIB Questionnaire

    Uploaded by

    Rustom Jr Gaoiran Soliven
    Trinity Insurance Brokers is requesting information about its IT general controls and security management policies and procedures. The respondent, Angel Linchangco, provides responses to questions about the applications used by Trinity, database programs, security policies and procedures, internal organization of the IT department, access control, remote access, network access, administrative privileges, and vulnerability management. Linchangco confirms that some policies and processes have remained the same since last year while others have been updated.

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as xlsx, pdf, or txt
    of 35

    Trinity Insurance Brokers

    Test of IT General Controls - Security Management


    Internal Control Questionnaires

    Question

    Security management
    1 Provide a brief background of the applications used by Trinity Insurance
    Brokers. What are the purpose of these applications?
    2 For each application, what are the database programs used?

    3 Policies and Procedures


    a. Based on the discussion and supporting documents retrieved from last
    audit there is already a draft policy for security policies and procedures.
    However, it wasn't reviewed and finalised during the audit. Could you
    please confirm if the draft is already approved, who approved the
    policies and when was it approved? Could you provide us a copy of the
    proof of approval?

    b. It was also noted that policies are communicated to new hires through
    an on-boarding process and additional seminars are also conducted if
    modifications are implemented. How do we monitor or ensure that the
    policies were completely communicated to all employees?

    c. Is there an existing repository of all the existing policies and training


    materials available to all employees? How do employees access the
    repository? Who is in-charge to update the repository?
    4 Internal Organization
    a. Based on last year's audit, there are three personnel under MIS, are
    there any changes in the plantilla of the department? If no, are the roles
    and competencies required for each position still the same?
    b. Does the company perform periodic review of existing Job Description?
    Provide a walkthrough of the review of the job description and include
    the following details:
    1. How often does the Company conduct reviews?
    2. Who conducts the review?
    3. After the review, who approves the changes made in the job
    description?

    c. Does the company conduct training for IT Personnel? How often? Who
    requests and approves for the training needed? Does the company keep
    the records of all the trainings provided? How do they maintain this
    record?

    d. We also noted that there is an existing performance evaluation for each


    employee. Are matrices of performance still the same? How often do we
    conduct this evaluation?
    5 Business Requirement of Access control
    a. Are there any changes in the user access profile/roles?
    b. Is the administrator to change access parameters still the same?
    6 Access Creation, Modification, and Deactivation
    a. For access creation and modification, are requests still sent thru email?
    Are there any forms that they need to fill-up for the requests or tickets
    they need to submit? Who are the authorized approvers if the manager
    is not the one who sent the request?
    b. For access deactivation, are users still not permanently
    deleted/deactivated in the application? How do we ensure that their user
    accounts are no longer used?

    c. How do we monitor access creation, modification, and deactivation


    requests?
    9 User Access Management
    a. Is there a comprehensive authentication mechanism used to validate
    credentials before gaining access to the system and performing a
    transaction? Explain.

    b. How are user IDs configured? How do they ensure that all User IDs are
    unique? Who is responsible to set the User ID Parameters?

    10 Password Parameter
    a. Is the current password parameter still the same with the parameter
    from 2019?
    b. Who is authorized to change the password parameter? What are the
    usual reasons for the change of password parameter? Who approves
    this change?

    11 Database Access
    a. Is the vendor still the only one who can modify the database?

    12 Access Rights Review


    a. Based on last year's review, the company does not perform access
    rights review. Please confirm if this is still true for last year.

    13 Remote Access
    a. Based on last year's walkthrough, remote access is requested via email
    or thru phone call. Access is also granted by the MIS. Does the
    company follow the same process this 2020?
    b. In addition, it was also mentioned that authentication is only through the
    use of the password and there are no existing two factor authorization.
    Is this still the case for 2020?

    14 Access to Network and Network Services


    a. Based on last year's walkthrough, the entity has an existing subscription
    with Fortigate which serves as the company's firewall, with built-in
    Intrustion detection system. They also have VPNs to ensure private
    connection to servers. Lastly, there is also an installed anti-virus
    software, Kapersky, which has built in data leak prevention and web
    filtering system. Are there any changes in the firewall, VPN, and anti-
    virus software?

    b. Are unauthorized attempts to breach the firewall properly documented?


    How are they documented? Who monitors and reviews these attempts?
    How do they resolve any successful unauthorized attempts?

    c. Is there a periodic anti-virus scans configured? How often? Provide


    screenshot of configuration.
    d. How do they resolve any successful malware attack? How is it
    documented?
    16 Administrative Privileges and Super-User Rights.
    a. Based on last year's audit, activities of both users and administrators are
    logged in the Event Viewer. Who reviews the logs? How often is is
    reviewed? What are the corrective actions taken for any anomalies
    discovered?
    17 Vulnerability Management
    a. Is the vulnerability assessment and penetration testing still performed by
    a third-party? When was the last vulnerability assessment and
    penetration testing? Enumerate the tests performed.

    18 Monitor Access
    a. Based on last year's audit, unauthorized access attempts, both internal
    and external, are logged via Fortinet (firewall). MIS is alerted for this
    attempts with a corresponding screenshot. Are there any changes in the
    current set-up?
    b. How do we resolve any successful breach?
    Response Name and Position of
    Respondent

    TIS is a customized ERP built for Trinity. On prem Angel Linchangco


    design
    SQL Server Angel Linchangco

    The drafted security policies are now covered by our Angel Linchangco
    New Employee Code of Conduct approved by Excom.
    Copy will be requested from management. Screenshot
    of approval of policy last page only to be sent

    We now issue e-blast and post it to Teams channel for Angel Linchangco
    communication

    That is being reviewed by HR as a project. We have Angel Linchangco


    this Trinity Academy in placed

    Same personnel. For 2021 plans and submitted to HR Angel Linchangco


    for evaluation

    Yes. 1. We submit our updated JD's for review. 2. HR Angel Linchangco


    reviews and recommends. 3. Management approval
    requires with budget, timeline and other policies
    involved. This is an ongoing project from HR

    Yes. Upon renewal of a subscrition or purchase of a Angel Linchangco


    software. There is a knowledge training from provider.
    Recording of trainings provided is a new project of HR.
    No recording yet but, we in MIS request for a
    knowledge transfer in coordination with provider on
    maintenance and troubleshooting
    This is a new program from HR and evaluation is on Angel Linchangco
    going
    None
    Yes

    Yes via email only. No forms required. Managers and Angel Linchangco
    immediate superiors. Some are Cc. to managers. No
    need approval as long as managers are informed.

    Yes. As for TIS we don't delete user account of Angel Linchangco


    resigned employees. This is to transfer still pending
    account to new assignees. Then we deactivate no
    longer used accounts

    Monitoring via email Angel Linchangco

    We use password authentication for Windows, Angel Linchangco


    Systems and VPN via active directory control. Multiple
    validation may required depending on system used

    User IDs are unique and are system generated Angel Linchangco

    Same of 2019. Like 90 days effectivity on Windows Angel Linchangco


    and M365
    Administrators are only authorized. Suggestions came Angel Linchangco
    from VAPT requirements. MIS Manager with
    coordination from Management on how we do things

    Yes Angel Linchangco

    Presented to Excom. Review are internal only. MIS or Angel Linchangco


    as discussed within the deparment

    This is now requested via Email. preferable a day Angel Linchangco


    before access. Requested by managers

    Two form factor are activated only to Administrator. So Angel Linchangco


    No changes Angel Linchangco

    Unauthorized attempts reportd from Fortinet. We in Angel Linchangco


    MIS monitor. No breached success experienced. Any
    form of breach must be reported to Management

    All are system automated. Pre configured by provider Angel Linchangco

    No malware attack experienced Angel Linchangco

    Review of Event Viewer are on a case to case basis. Angel Linchangco


    Of if incident requires. Reviewed by Network Admin.
    Regular maintenance update are pushed.

    Yes by Deloitte. September 2019. Full Penetration Angel Linchangco


    Test. Scope 1. Internal-only network. 2. Internet facing
    systems/host. 3. Hosted systems in cloud providers

    None Angel Linchangco

    Incident Protocol - Using Privacy Manual / Report to Angel Linchangco


    DPO
    Email Status Follow-up Questions

    For Follow-Up
    ablinchangco@trinity-insures.com What does TIS stand for? What is the
    current version being used?
    For Follow-Up
    ablinchangco@trinity-insures.com What is the current version of SQL
    being used?
    Done
    ablinchangco@trinity-insures.com
    Done

    ablinchangco@trinity-insures.com
    Done

    ablinchangco@trinity-insures.com
    Done

    For Follow-Up
    ablinchangco@trinity-insures.com
    For Follow-Up How often it is reviewed?

    ablinchangco@trinity-insures.com
    Done

    ablinchangco@trinity-insures.com
    Done

    For Follow-Up
    ablinchangco@trinity-insures.com Please provide an explanation on why
    performance evaluation was not done
    for 2020.
    Done
    Done
    Done
    For Follow-Up
    ablinchangco@trinity-insures.com
    Done

    For Follow-Up
    ablinchangco@trinity-insures.com Provide a walkthrough of the transfer
    of pending accounts to new assignees.
    Who is authorized to transfer this
    accounts?

    ablinchangco@trinity-insures.com
    Done

    For Follow-Up
    For Follow-Up
    ablinchangco@trinity-insures.com Kindly elaborate to us what multiple
    validations are being done for the
    authentication to the system?

    For Follow-Up
    ablinchangco@trinity-insures.com Does the system follow a specific user
    id parameter in generating the user id?

    Done
    ablinchangco@trinity-insures.com
    Done

    ablinchangco@trinity-insures.com
    Done

    Done
    ablinchangco@trinity-insures.com
    Done

    For Follow-Up
    For Follow-Up
    ablinchangco@trinity-insures.com For clarification, for 2020, are there
    internal reviews done now? May we
    ask ask if we can schedule a viewing
    for the internal documents?
    Done
    ablinchangco@trinity-insures.com
    Done

    ablinchangco@trinity-insures.com
    For Follow-up For regular employees, may we clarify
    if there are no 2FA enforced? What
    2FA is enforced for administrators?

    For Follow-Up
    ablinchangco@trinity-insures.com
    Done

    ablinchangco@trinity-insures.com
    Done

    ablinchangco@trinity-insures.com
    Done

    For Follow-Up
    ablinchangco@trinity-insures.com Are there any logs showing that are no
    malware attacks happened?
    Done
    ablinchangco@trinity-insures.com
    Done

    For Follow-Up
    ablinchangco@trinity-insures.com Are there VAPT done for 2020, if none,
    may we ask why?

    Done
    ablinchangco@trinity-insures.com
    Done

    ablinchangco@trinity-insures.com
    Done
    Response Status

    SQL 2008 / SQL 2019

    Done
    Done

    Done

    Done

    No review last year. But we updated our JDs related to updating of Done
    KRA/KPI

    Done

    Done

    Performance review are for 2021. pertaining to 2020. Done


    Done
    Done
    Done

    Done

    There must be a request with approval at least from Manager/Head. Done


    Email can be from the officer who will take over the accounts. Then
    we will give access to that officer using the old/resigned account to
    transfer.

    Done

    Like for Remote VPN, we configure the computer. Then during


    daytime at normal hours user can connect using Password from AD.
    If on Saturday/Sunday/after office hours. Email must be send for
    authorization.
    We assign a user account. ID is generated automatically by system.

    Done
    Done

    Done

    Done
    Done

    Taken up to Excom. Suggested that review can be internal. No


    specific time/schedule of review needed. Or as need only review by
    officers

    Done
    Done

    Only System Admin has 2FA.


    Done

    Done

    Done

    In our Fortinet weekly report. No Attack encountered. Only scoring


    status.
    Done
    Done

    Due to acquisition of M365 and VPN activation for remote users.


    With pending review of new ERP/CRM implementation. VAPT was
    put on hold. We also have a good review 2019

    Done
    Done

    Done
    Follow-up Questions
    Trinity Insurance Brokers
    Test of IT General Controls - Technology Acquisition, Development and Maintenance
    Internal Control Questionnaires

    Question

    Technology Acquisition, Development and Maintenance


    1 Policies and Procedures
    a. Based on last year's audit, there is currently no policy for SDLC and
    Change management, but there is an existing service level agreement
    between TIB and CITS. Could you please confirm if there are new
    policies created for the acquisition? Is the service level agreement still
    effective in 2020 or was renewed? What are the enhancements covered
    by the agreement?

    2 Change Management
    a. Is the change management process still done by the CITS? Could you
    explain the process based on the contract with them?

    b. Based on the discussion last year, no proper documentation of changes


    was maintained by the company. Are there any changes from the
    process? Does it already have a documentation or monitoring?

    c. For the change requests, do business units still request via email? if yes,
    are the e-mail trails compiled and kept in a repository? How do you keep
    track of the requests?

    3 Post Implementation
    a. Per last year's review, are there changes in the system that required
    post implementation reviews in 2020? Could you please identify the
    changes and provide documentation of post implementation review.

    b. For changes that to do not have post implementation review, does a


    signoff of user still serves as the approval? What is the process for the
    issues or changes requested from the business unit? Who approves the
    request?

    5 Production and Test Changes


    a. Based on the discussion last year, there are no separate environment
    available in the company, and the vendor has its own testing and the
    company is in charge of the production environment. Could you confirm
    if the development and testing libraries are segregated from production
    library? Are there any changes regarding the process? Can you explain
    the process the vendor conducts?

    b. It was noted from the audit last year that the user signifies their
    acceptance via sign off, how are these documented? How does the user
    evaluate the changes to be approved? What are the factors considered?
    Maintenance

    Name and Position of


    Response
    Respondent

    Yes we don't have Software Dev Life Cycle agreement and change Angel Linchangco
    management policy. Allthough we have this Support and
    Maintenance agreement with CITS and follow protocol and SLA of
    contract. contract renewed same coverage.

    None for 2020. That will be treated as change order Angel Linchangco

    No changes. Only submitted Error and Bugs encountered by user Angel Linchangco
    were sent to be fixed by CITS/Programer via Email request

    There are no change requests made and will be under change Angel Linchangco
    order. We keep track request via email but those are errors omitted
    by the system. No change in processes

    None. Angel Linchangco

    If there are change order. There should be PO and request for angel Linchangco
    Change Order to CITS. Sign off must be completed upon
    implementation or post implem
    Yes, CITS have their own test environment. Should there be Angel Linchangco
    correction or update they will have give them permission a remote
    management. This is disabled

    Yes. Requirement upon full payment of an approved Change Order. Angel Linchangco
    User to test and must agree in conformity of agreed change order
    that is a result of Sign-Off
    Email Status

    ablinchangco@trinity-insures.com
    For Follow-Up

    ablinchangco@trinity-insures.com
    For Follow-Up

    ablinchangco@trinity-insures.com
    For Follow-Up

    ablinchangco@trinity-insures.com
    For Follow-Up

    ablinchangco@trinity-insures.com
    Done

    ablinchangco@trinity-insures.com
    For Follow-Up
    ablinchangco@trinity-insures.com
    Done

    ablinchangco@trinity-insures.com
    For Follow-Up
    Follow-up questions

    Kindly provide us a clearer copy of the service level


    agreeement.

    Can you confirm if the change order will be assessed


    by IT department first, and if the department cannot
    do the needed changes, they will escalate it to the
    vendor? can you provide us the changes that was not
    raised to the vendor? Are there logs related to it? Are
    they being tested? If yes, is there a separate testing
    environment for its testing?

    Can you provide us the copy of error and bugs


    encountered by the users?

    How about tracking of e-mail requests for change


    order? Are there any other requierements needed
    before the request can be performed?

    What does PO mean? If there are issues discovered


    upon implementation or post implem, what are the
    actions to fix it and controls to prevent it?
    Are there any sepcific factors considered before the
    sign-off of users? Are there any changes that cannot
    be tested? Do you perform roll-back procedures? How
    are these documented?
    4/8/2021

    Response Status

    Sent soft copy on email Done

    Change Order are discussed with management and must For Follow-Up
    be approved by the president. Then submit to vendor for
    review. Testing and sign off will be reviewed by the
    requesting department

    Sent to email Done

    No tracking needed. User usuallly follow up pending For Follow-Up


    items

    Done

    PO = Policy Order (items for Billing/Adjustment). Bugs For Follow-Up


    are being fix some are persistent bug that cannot be
    prevented. If preventable, we suggest some work
    arround during meeting discussion with department.
    Like avoiding of updating by multiple users from 1
    transaction t the same time.
    Done

    Sign Off are also discussed by the committe/group involve. For Follow-Up
    Change, testing, rollback are discussed if needed
    Follow-up questions
    Trinity Insurance Brokers
    Test of IT General Controls - Technology Infrastructure
    Internal Control Questionnaires

    Question

    Technology Infrastructure
    1 IT System Needs
    a. Per last year's audit, no policy is established for the assessment of IT
    System and assessment is only done thru a memo for request, report, or
    recommendation. Are there any changes in this practice?

    b. In addition, there were also no assessment performed for 2019, is this


    still the case in 2020?
    2 Data Processing
    a. Based on last year's review, there is currently no established policy for
    real time processing, however there is an available user manual for this.

    b. Training is also performed for new hires. Are there any changes in the
    user manual? How do we make sure that enough training is provided for
    data processing.

    c. Per last year's audit team observation of Policy Order (PO) processing
    module for renewals, the only mandatory field is the information needed
    to capture the name of the client. For new business, all fields are
    mandatory to be filled-up and no longer editable once done. Are there
    any changes in this procedure? How do we ensure that correct
    information is indicated in the system before PO is submitted?

    d. In addition, the Policy Administration Group submits an exception report


    on unprocessed transactions, and are investigated if such exceeds the
    expected turn-around-time. How often is it reviewed? Is the exception
    report system generated? What is the expected turn-around time for
    processing? What are the corrective actions taken for any exceptions
    noted?

    e. Does the company still use only one application? Are there still no data
    transfer process for 2020?
    3 Secure Areas
    a. Are there any changes in the existing security and physical controls in
    the data room or server room?
    b. How often are the controls in place inspected? Who is responsible for
    the inspection? How is it documented?

    c. Enumerate the personnel who have access in data rooms and servers.

    4 Batch Processing
    a. Per last year's walkthrough, there is no batch processing for TIS. Is this
    still the case for 2020?
    5 Backup Policy
    a. Are there any changes in the backup procedure of TIS?

    b. Who is responsible for backup and recovery?

    c. How does the company determine that backup and recovery was done
    successfully?

    d. What are the data,softwares,updates,etc that are backed up?

    e. Are there any incidents of system processing failure, destruction of


    hardware, and lost of data in 2020? Provide documentation of back-up
    and restoration process performed.

    f. Does the company conduct data reconciliation as part of back-up and


    recovery procedure? Provide a walkthrough.
    g. What are the corrective actions performed as a result of data
    reconciliation?
    Name and Position of
    Response
    Respondent

    None. It is being reviewed by Internal Audit Angel Linchangco

    I believe the assessment is part of this Audit coverage. Angel Linchangco


    Same as last year

    User manual and policy is based on approval process on Angel Linchangco


    data processing

    None. Trainings are internal to department Angel Linchangco

    None. No changes upon OG Approval or Billing / Angel Linchangco


    Adjustment is created. Corrections are followed by
    CMD/DM

    Reviews and TAT are within PAG. There is a departmental Angel Linchangco
    manual from PAG.

    TIS. We use M365 for collaboration. Angel Linchangco

    None Angel Linchangco


    Regularly and if there are any incident. No incident Angel Linchangco
    happend or recorded

    MIS Personnel only. Admin and PMO requires permission Angel Linchangco

    Yes. Angel Linchangco

    Backup to SGG House not implemented. CoVID Angel Linchangco

    MIS Personnel. MIS Manager and Sr.Network Admin Angel Linchangco

    Upon regular review if process has been completed by Angel Linchangco


    Sr.Network Admin

    Database and Images of Servers Angel Linchangco

    None. Restoration are done to Cebu Server Angel Linchangco

    I believe that Accounting reviews the data from Angel Linchangco


    consistency.
    Through regular corrections from CMDM and JV for Angel Linchangco
    adjusting entries
    Email Status Follow-up Questions

    For Follow-Up
    ablinchangco@trinity-insures.com For Follow-Up Did IA conduct an assessment for IT
    System Needs for 2020? If yes,
    please provide us a copy of the
    result.
    ablinchangco@trinity-insures.com Done

    For Follow-Up
    ablinchangco@trinity-insures.com Done

    ablinchangco@trinity-insures.com For Follow-Up Kindly provide us a contact person in


    PAG responsible for Data Processing
    with their email address.

    ablinchangco@trinity-insures.com

    ablinchangco@trinity-insures.com

    ablinchangco@trinity-insures.com Done

    For Follow-Up
    ablinchangco@trinity-insures.com Done
    ablinchangco@trinity-insures.com For Follow-Up Is the server room inspected daily?
    weekly? or monthly?

    ablinchangco@trinity-insures.com Done

    Done
    ablinchangco@trinity-insures.com Done

    For Follow-Up
    ablinchangco@trinity-insures.com For Follow-Up

    ablinchangco@trinity-insures.com Done

    ablinchangco@trinity-insures.com For Follow-Up Kindly provide us the email address


    of the Sr. Network Admin.

    ablinchangco@trinity-insures.com Done

    ablinchangco@trinity-insures.com For Follow-Up Kindly provide us a contact person in


    charge of the data restoration
    performed in the Cebu Server last
    2020.
    ablinchangco@trinity-insures.com For Follow-Up Kindly provide us a contact person in
    Accounting Department who is
    ablinchangco@trinity-insures.com For Follow-Up responsible for backup data
    reconciliation and correction.
    Response

    None. Only the P&A review

    Aren Cunanan
    accunanan@trinity-
    insures.com for EB. Elaine
    Bianzon ecbianzon@trinity-
    insures.com for GI
    Daily as there are MIS
    personnel. And by Security for
    Temperature check Daily

    Jonefer Prescillas jgprescillas@trinity-insures.com

    Jonefer Prescillas jgprescillas@trinity-insures.com

    Razel Catapang

    You might also like