Professional Documents
Culture Documents
TIB Questionnaire
TIB Questionnaire
TIB Questionnaire
Question
Security management
1 Provide a brief background of the applications used by Trinity Insurance
Brokers. What are the purpose of these applications?
2 For each application, what are the database programs used?
b. It was also noted that policies are communicated to new hires through
an on-boarding process and additional seminars are also conducted if
modifications are implemented. How do we monitor or ensure that the
policies were completely communicated to all employees?
c. Does the company conduct training for IT Personnel? How often? Who
requests and approves for the training needed? Does the company keep
the records of all the trainings provided? How do they maintain this
record?
b. How are user IDs configured? How do they ensure that all User IDs are
unique? Who is responsible to set the User ID Parameters?
10 Password Parameter
a. Is the current password parameter still the same with the parameter
from 2019?
b. Who is authorized to change the password parameter? What are the
usual reasons for the change of password parameter? Who approves
this change?
11 Database Access
a. Is the vendor still the only one who can modify the database?
13 Remote Access
a. Based on last year's walkthrough, remote access is requested via email
or thru phone call. Access is also granted by the MIS. Does the
company follow the same process this 2020?
b. In addition, it was also mentioned that authentication is only through the
use of the password and there are no existing two factor authorization.
Is this still the case for 2020?
18 Monitor Access
a. Based on last year's audit, unauthorized access attempts, both internal
and external, are logged via Fortinet (firewall). MIS is alerted for this
attempts with a corresponding screenshot. Are there any changes in the
current set-up?
b. How do we resolve any successful breach?
Response Name and Position of
Respondent
The drafted security policies are now covered by our Angel Linchangco
New Employee Code of Conduct approved by Excom.
Copy will be requested from management. Screenshot
of approval of policy last page only to be sent
We now issue e-blast and post it to Teams channel for Angel Linchangco
communication
Yes via email only. No forms required. Managers and Angel Linchangco
immediate superiors. Some are Cc. to managers. No
need approval as long as managers are informed.
User IDs are unique and are system generated Angel Linchangco
For Follow-Up
ablinchangco@trinity-insures.com What does TIS stand for? What is the
current version being used?
For Follow-Up
ablinchangco@trinity-insures.com What is the current version of SQL
being used?
Done
ablinchangco@trinity-insures.com
Done
ablinchangco@trinity-insures.com
Done
ablinchangco@trinity-insures.com
Done
For Follow-Up
ablinchangco@trinity-insures.com
For Follow-Up How often it is reviewed?
ablinchangco@trinity-insures.com
Done
ablinchangco@trinity-insures.com
Done
For Follow-Up
ablinchangco@trinity-insures.com Please provide an explanation on why
performance evaluation was not done
for 2020.
Done
Done
Done
For Follow-Up
ablinchangco@trinity-insures.com
Done
For Follow-Up
ablinchangco@trinity-insures.com Provide a walkthrough of the transfer
of pending accounts to new assignees.
Who is authorized to transfer this
accounts?
ablinchangco@trinity-insures.com
Done
For Follow-Up
For Follow-Up
ablinchangco@trinity-insures.com Kindly elaborate to us what multiple
validations are being done for the
authentication to the system?
For Follow-Up
ablinchangco@trinity-insures.com Does the system follow a specific user
id parameter in generating the user id?
Done
ablinchangco@trinity-insures.com
Done
ablinchangco@trinity-insures.com
Done
Done
ablinchangco@trinity-insures.com
Done
For Follow-Up
For Follow-Up
ablinchangco@trinity-insures.com For clarification, for 2020, are there
internal reviews done now? May we
ask ask if we can schedule a viewing
for the internal documents?
Done
ablinchangco@trinity-insures.com
Done
ablinchangco@trinity-insures.com
For Follow-up For regular employees, may we clarify
if there are no 2FA enforced? What
2FA is enforced for administrators?
For Follow-Up
ablinchangco@trinity-insures.com
Done
ablinchangco@trinity-insures.com
Done
ablinchangco@trinity-insures.com
Done
For Follow-Up
ablinchangco@trinity-insures.com Are there any logs showing that are no
malware attacks happened?
Done
ablinchangco@trinity-insures.com
Done
For Follow-Up
ablinchangco@trinity-insures.com Are there VAPT done for 2020, if none,
may we ask why?
Done
ablinchangco@trinity-insures.com
Done
ablinchangco@trinity-insures.com
Done
Response Status
Done
Done
Done
Done
No review last year. But we updated our JDs related to updating of Done
KRA/KPI
Done
Done
Done
Done
Done
Done
Done
Done
Done
Done
Done
Done
Done
Done
Done
Done
Follow-up Questions
Trinity Insurance Brokers
Test of IT General Controls - Technology Acquisition, Development and Maintenance
Internal Control Questionnaires
Question
2 Change Management
a. Is the change management process still done by the CITS? Could you
explain the process based on the contract with them?
c. For the change requests, do business units still request via email? if yes,
are the e-mail trails compiled and kept in a repository? How do you keep
track of the requests?
3 Post Implementation
a. Per last year's review, are there changes in the system that required
post implementation reviews in 2020? Could you please identify the
changes and provide documentation of post implementation review.
b. It was noted from the audit last year that the user signifies their
acceptance via sign off, how are these documented? How does the user
evaluate the changes to be approved? What are the factors considered?
Maintenance
Yes we don't have Software Dev Life Cycle agreement and change Angel Linchangco
management policy. Allthough we have this Support and
Maintenance agreement with CITS and follow protocol and SLA of
contract. contract renewed same coverage.
None for 2020. That will be treated as change order Angel Linchangco
No changes. Only submitted Error and Bugs encountered by user Angel Linchangco
were sent to be fixed by CITS/Programer via Email request
There are no change requests made and will be under change Angel Linchangco
order. We keep track request via email but those are errors omitted
by the system. No change in processes
If there are change order. There should be PO and request for angel Linchangco
Change Order to CITS. Sign off must be completed upon
implementation or post implem
Yes, CITS have their own test environment. Should there be Angel Linchangco
correction or update they will have give them permission a remote
management. This is disabled
Yes. Requirement upon full payment of an approved Change Order. Angel Linchangco
User to test and must agree in conformity of agreed change order
that is a result of Sign-Off
Email Status
ablinchangco@trinity-insures.com
For Follow-Up
ablinchangco@trinity-insures.com
For Follow-Up
ablinchangco@trinity-insures.com
For Follow-Up
ablinchangco@trinity-insures.com
For Follow-Up
ablinchangco@trinity-insures.com
Done
ablinchangco@trinity-insures.com
For Follow-Up
ablinchangco@trinity-insures.com
Done
ablinchangco@trinity-insures.com
For Follow-Up
Follow-up questions
Response Status
Change Order are discussed with management and must For Follow-Up
be approved by the president. Then submit to vendor for
review. Testing and sign off will be reviewed by the
requesting department
Done
Sign Off are also discussed by the committe/group involve. For Follow-Up
Change, testing, rollback are discussed if needed
Follow-up questions
Trinity Insurance Brokers
Test of IT General Controls - Technology Infrastructure
Internal Control Questionnaires
Question
Technology Infrastructure
1 IT System Needs
a. Per last year's audit, no policy is established for the assessment of IT
System and assessment is only done thru a memo for request, report, or
recommendation. Are there any changes in this practice?
b. Training is also performed for new hires. Are there any changes in the
user manual? How do we make sure that enough training is provided for
data processing.
c. Per last year's audit team observation of Policy Order (PO) processing
module for renewals, the only mandatory field is the information needed
to capture the name of the client. For new business, all fields are
mandatory to be filled-up and no longer editable once done. Are there
any changes in this procedure? How do we ensure that correct
information is indicated in the system before PO is submitted?
e. Does the company still use only one application? Are there still no data
transfer process for 2020?
3 Secure Areas
a. Are there any changes in the existing security and physical controls in
the data room or server room?
b. How often are the controls in place inspected? Who is responsible for
the inspection? How is it documented?
c. Enumerate the personnel who have access in data rooms and servers.
4 Batch Processing
a. Per last year's walkthrough, there is no batch processing for TIS. Is this
still the case for 2020?
5 Backup Policy
a. Are there any changes in the backup procedure of TIS?
c. How does the company determine that backup and recovery was done
successfully?
Reviews and TAT are within PAG. There is a departmental Angel Linchangco
manual from PAG.
MIS Personnel only. Admin and PMO requires permission Angel Linchangco
For Follow-Up
ablinchangco@trinity-insures.com For Follow-Up Did IA conduct an assessment for IT
System Needs for 2020? If yes,
please provide us a copy of the
result.
ablinchangco@trinity-insures.com Done
For Follow-Up
ablinchangco@trinity-insures.com Done
ablinchangco@trinity-insures.com
ablinchangco@trinity-insures.com
ablinchangco@trinity-insures.com Done
For Follow-Up
ablinchangco@trinity-insures.com Done
ablinchangco@trinity-insures.com For Follow-Up Is the server room inspected daily?
weekly? or monthly?
ablinchangco@trinity-insures.com Done
Done
ablinchangco@trinity-insures.com Done
For Follow-Up
ablinchangco@trinity-insures.com For Follow-Up
ablinchangco@trinity-insures.com Done
ablinchangco@trinity-insures.com Done
Aren Cunanan
accunanan@trinity-
insures.com for EB. Elaine
Bianzon ecbianzon@trinity-
insures.com for GI
Daily as there are MIS
personnel. And by Security for
Temperature check Daily
Razel Catapang