Access Management

Physical- Id Card, Scanner, Token, bio metric

Logical access- Username & Password

Provisioning- Access should be approved and authorized prior to grant access.

Obtain Policy and list of new hires from the active directory listing during the reporting period.

TOD- Select 1 sample and check whether access request is raised with time and date, who are
approvers, What are access that granted, application used.

Follow same steps for deprovisioning or revocation of employee.

Privileged Access-Admin rights are inline with the role and responsibilities.

Access Reviews:

Password management: Policy, Complexity, Frequency, Blacklisted, MFA or two factor authentication
as additional layer of security

Change management: Software, hardware, configuration

Initiation- Raising ticket, authorized, Planning- resource planning, Development, Testing, approved by
change advisory board (CAB), deployment (implementation), Post implementation review.

Elaborate Testing Phase?

Types: Standard ( Low risk, more frequent, pre approved and tested) Normal( Normal Process),
Emergency (High Risk, resolved immediately)

Testing :procedures: CM Policy, List of changes during the reporting period match with ticketing tool
to production.

TOD as in first step

What is rollout plan- Description of how to apply your change successfully.

Segregation of duties

Incident management: Plan to resolve the reported incidents to reduce the risk of loss, reputation

Testing Procedure: Identifying, Reporting- raising a ticket, validating the event, capturing or logging
information, Investigation or root cause analysis, Communication, Resolution, Review, Lessons
documented.

Audit: Obtain the policy, inspect the policy, plan effective incident response plan, document review
and approved by senior management.

Backup plan: Important for disaster recovery plan, policy and process documents, frequency, life
cycle and types of back up, verify if alarms are created,

Confirm backup is completed in specific date,

If fails, management actions to resolve the issue, verify admin rights to change the configuration of
the backup is restricted to IT personnel.
SOC Reporting:

Service organization controls- attested by Independent service auditor.

Types of reporting: SOC1- used by service organization for internal control over Financial Reporting.

SOC 2- Addresses controls relevant for operations and compliance as outlined by TSC. Genreally From
6 to 12 months.

TSA- Security: Protection from unauthorized access.

Availability: available for operation as agreed

Integrity: System is complete, accurate and authorized.

Confidentiality

Privacy: Personal information is collected, retained, disposed.

SOC 2 Type I- design of controls at specific date.

Type 2- testing the operating effectiveness over a period of time.

Bridge letter: Gap letter b/w the reporting period end date and organization fiscal year end date.
Implies that there are no significant changes impacting the conclusion. signed by organization itself
and provided directly to customer. CPA firm does not attest anything as they have not performed any
additional procedures.

SOC 3- Report whether entity have effective controls w.r.t to TSC. Used in B2C environment. Can be
shared without NDA and displayed on website.