Upload
lythu
View
213
Download
1
Embed Size (px)
Citation preview
The Changing Technology Landscape:
Moving to Internal Audit 2.0
www.pwc.com
PwC
Raising internal audits game
This publication has been prepared to support an Oral presentation and is for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.
2016 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC refers to the United States member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.
http://www.pwc.com/structure
PwC
The technology landscape is changing faster than ever before
Leadership
Clarity
Drive Value
Trusted Advisor
Expectations
Cybersecurity & privacy risk
Digital disruption
Theft of customer data and intellectual propertyOrganized crime activityGlobal ecosystem
Business & technology transformation
Big data
Regulatory pressure
SocialMobileBlockchainCloud
Consumerization of ITEvolving business modelsMassive transformation of applications and infrastructure
Complex regulatory environmentIncreased pressure and audits
Increased transaction volumesData qualityData governance & management
Key trends
Higher expectations from executive management and boards
Provide value-added services and proactive strategic advice to the business
Need to clearly articulate full suite of IT internal audit solutions
Opportunities to grow, innovate, and drive quality
What this means for Internal Technology Audit
Differentiation
Organic and inorganic growth through specialization
PwC
What this means for our Internal Audit
Greater focus on quality and driving value and impact from investment in internal audit
3
PwC
Continuous Auditing
PwC
What is Continuous Monitoring (CM) and Continuous Auditing (CA)?
5
Continuous Monitoring
Automated continuous monitoring of relevant internal and external events and their outcomes to ensure that business processes, systems and controls are operating as prescribed. CM feedback can be used for continuous auditing or trigger an on-demand audit.
Continuous Auditing
Continuous auditing is collection of audit evidence by an auditor related to business processes and controls on continuous basis based on which auditor can provide a continuous or on-demand opinion on state of business process or control in question.
Institute of Internal Auditors defines continuous audit as a means to issue an audit report simultaneously or immediately after the event in question.
PwC
Data Analytics Applying analytics to an existing audit program will not usually
produce efficiencies and can in fact minimize, if not eliminate, the benefit of the tool
Analytics tools should be just one part of a comprehensive audit automation strategy
This strategy should be linked to a risk based audit approach and part of a start from scratch mentality in terms of universe and entity definition
The actual tools and methods employed should be determined by the risks identified and the goals of each audit
6
PwC
How Audit Automation changes the model..
7
Data Discovery and
Presentation
Gaining effective insight through advances in visualization capabilities
(Audit by sight)
Agile AnalyticsAlternative modeling and analytic techniques that can tackle audit objectives in hours instead of weeks
Unstructured Data
Integration
Emerging methods to collect, organize, structure and search massive amounts of data not found in traditional databases
Enhanced Audit
Management
Collaborative project management technology integrated into Audit Planning, Execution , and Reporting
Build a Learning Organization
Increased Risk Coverage
Manage Risk / Return
Insight in Real -time or Right-time
Efficient Audit cycle time
PwC
Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
Logical Access (Mainfram e)
ACF2 G G G G G G G G G G G G G
RACF Y Y G G G G G G G G G G G
Top Secret Security G G G G G G G G G G G G G
Application Security Database Sy stem G G G G G G G G G G G G G
MVS and Mainframe Software G G R R G G G G G G G G G
Enterprise Database Management Sy stems G G G G G G G G G G G G G
Data Security Administration - Pershing G G G G G G G G G G G G G
Data Security Administration G G G G G G G G G G G G G
Logical Access (Distributed)
Windows/Activ e Directory R R R R R R R R R R Y Y G
OpenVMS G G G Y G G G G G G G G G
Unix and Linux Operating Sy stems G G G G G G G G G G G Y Y
Network Security & Administration G G G Y G G G G G G G G G
Enterprise Database Management Sy stems Y Y Y G G G G G G G G G G
Data Security Administration G G G G G G G G G Y G R R
Global Change Managem ent
Centralized Y Y Y Y Y Y R R G Y Y Y Y
Decentralized G G G G G Y Y Y G
Global Configuration Managem ent
Mainframe G G G G G G G G G G G G G
Distributed G G R R R R Y Y Y R R R R
Network G G G Y G G G G G G G G G
Global Sy stem Operations No issues
Global Project Managem ent
Software Dev elopment Lifecy cle (SDLC) G G Y Y Y Y
Infrastructure Dev elopment Lifecy cle (IDLC) Y Y G G G G
Pershing Project Lifecy cle (PPLC) Y Y G G G G
Global Data Interchange Q1 /201 4: 1 High Priority issue
Prim ary Data Centers - USA Q1 /201 4: 1 Low Priority issue
Global Network Security No issues
Cy ber Security Q2/201 3: 2 High Priority issues
Global Business Continuity No issues
Service Provider Managem ent Office No issues
Social Media No issues
2013
Q2/201 3: 1 High Priority issue, 1 Medium Priority issueQ4/201 3: 1 Medium Priority issue
Risk and Compliance
Q3/201 3: 1 High Priority issueQ1 /201 4: 1 Medium Priority issue
Comments for Current Quarter
Information TechnologyNo issues
Q4/201 3: 1 High Priority issue, 1 Medium Priority issueQ1 /201 4: 1 Medium Priority issue, 1 Low Priority issue [Fully Remediated]
Continuous Audit / Component
Q3/201 3: 2 Medium Priority issues
Marketing & Corporate Affairs
2012 20142011
Summary dashboards would present the results of all detailed dashboards and provide an excellent means for assessing the state of IT
Sample reporting dashboard
8
Cathy's Version
Continuous Audit / ComponentQtr 1, 20102011201220132014Comments for Current Quarter
Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4
Information Technology
Logical Access (Mainframe) No issues
ACF2GGGGGGGGGGGGG
RACFYYGGGGGGGGGGG
Top Secret SecurityGGGGGGGGGGGGG
Application Security Database SystemGGGGGGGGGGGGG
MVS and Mainframe SoftwareGGRRGGGGGGGGG
Enterprise Database Management SystemsGGGGGGGGGGGGG
Data Security Administration - PershingGGGGGGGGGGGGG
Data Security AdministrationGGGGGGGGGGGGG
Logical Access (Distributed) Q4/2013: 1 High Priority issue, 1 Medium Priority issueQ1/2014: 1 Medium Priority issue, 1 Low Priority issue [Fully Remediated]
Windows/Active DirectoryRRRRRRRRRRRYYG
OpenVMSGGGYGGGGGGGGG
Unix and Linux Operating SystemsGGGGGGGGGGGYY
Network Security & AdministrationGGGYGGGGGGGGG
Enterprise Database Management SystemsYYYGGGGGGGGGG
Data Security AdministrationGGGGGGGGGYGRR
Global Change Management Q3/2013: 1 High Priority issueQ1/2014: 1 Medium Priority issue
CentralizedYYYYYYRRGYYYY
DecentralizedGGGGGYYYG
Global Configuration Management Q2/2013: 1 High Priority issue, 1 Medium Priority issueQ4/2013: 1 Medium Priority issue
MainframeGGGGGGGGGGGGG
Distributed GGRRRRYYYRRRR
NetworkGGGYGGGGGGGGG
Global System Operations No issues
Global Project ManagementQ3/2013: 2 Medium Priority issues
Software Development Lifecycle (SDLC)GGYYYY
Infrastructure Development Lifecycle (IDLC)YYGGGG
Pershing Project Lifecycle (PPLC)YYGGGG
Global Data InterchangeQ1/2014: 1 High Priority issue
Primary Data Centers - USAQ1/2014: 1 Low Priority issue
Global Network Security No issues
Cyber SecurityQ2/2013: 2 High Priority issues
Risk and Compliance
Global Business Continuity No issues
Service Provider Management OfficeNo issues
Marketing & Corporate Affairs
Social MediaNo issues
Logical Access (MF)
Control Point / Audit Procedure2011201220132014Comments for Current Quarter
Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Issue Track Cheat Sheet
Continuous Audit RatingNo issues
1Authentication Controls(Verify that active user accounts belong to current employees or contractors.)(Review access to key operating system libraries/files.)GGGGGGGGGGNo issues
2Prevention of improper modifications: Protection of system resources(Verify that key security settings are established in accordance with standards.)(Review controls implemented through key RACF, Top Secret and ACF2 files.)GGGGGGGGGGGGGNo issues
3Monitoring: Detection of improper access(Assess the process for reviewing logs.)(Verify that activity of highly privileged accounts is reviewed.)YYRRGGGGGGGGGNo issuesExpected Completion Date: 03/19/2012Auditor: Amit Dhasmana/CorpUK/BNYMellon11TETC9913 Logical Access (Mainframe) Q3Q3/2011: Powerful system permissions in the UNISYS computing environment are not effectively controlled and monitored. (High Priority)
4No issues
4Provisioning(Assess the process for granting and revoking user access to operating systems and applications.)GGGGGGGGGGGGGNo issuesClosed by Nassos on 3/20
5Recertifying(Assess the process for recertifying user access.)GGGGGGGGGGNo issues
Word pic size is "Reset"
Logical Access (Dist)
Control Point / Audit Procedure2011201220132014Comments for Current Quarter
Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Issue Track Cheat Sheet
Continuous Audit RatingQ4/2013: 1 High Priority issue, 1 Medium Priority issueQ1/2014: 1 Medium Priority issue, 1 Low Priority issue [Fully Remediated]
1Authentication Controls(Verify that active user accounts belong to current employees or contractors.)(Review access to key operating system libraries/files.)YYYGGGGGGGGGGNo issues
2Authorization Controls(Review authorization levels of key accounts.)RRRRRRRRRRYYYQ4/2013: The UNIX server support model employed by Pershing requires a large number of users to be assigned root access. (Medium Priority)
3Prevention of improper modifications: Protection of system resources(Verify that key security settings are set in accordance with standards.)Protection of production UDTs(Verify UDTs are adequately protected from improper modifications.)YYRGGGGGGGGRRQ4/2013: A significant number of employees can amend the account details of approved payment files prior to their final submission to BACS for disbursement. (High Priority)
Q1/2014: Unique VMS Operating System User Identification Codes are inappropriately assigned. (Low Priority) [Closed]Expected Completion Date: 03/19/2012Auditor: Amit Dhasmana/CorpUK/BNYMellon11TETC9913 Logical Access (Mainframe) Q3Q3/2011: Powerful system permissions in the UNISYS computing environment are not effectively controlled and monitored. (High Priority)
4No issues
Control Point / Audit Procedure2011201220132014Comments for Current Quarter
Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Issue Track Cheat Sheet
4Monitoring: Detection of improper access(Assess the process for reviewing logs.)(Verify that activity of highly privileged accounts is reviewed.)GRYYYGGGGGGNo issuesClosed by Nassos on 3/20
5Provisioning(Assess the process for granting and revoking user access to operating systems and applications.)GGGYGGGGGYGGYQ1/2014: Role Based Access Control (RBAC) usage within the Company needs improvement. (Medium Priority)
6Recertifying(Assess the process for recertifying user access.)GGYYGGGGGGGGGNo issues
Word pic size is "Reset"
ChgMgt
Control Point / Audit Procedure2011201220132014Comments for Current Quarter
Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Issue Track Cheat Sheet
Continuous Audit RatingQ3/2013: 1 High Priority issueQ1/2014: 1 Medium Priority issue
1Authentication Controls(Verify that administrative accounts for Remedy belong to current employees or contractors.)(Verify that administrative accounts for SCCB belong to current employees and/or contractors that have a business need for the access.)GGGGGGGGGGGGGNo issues
2Authorization Controls: Segregation of Duties(Level of access that developers have in Harvest and production.)(Level of access that Harvest Administrators have in the production environment.)(Separate development and production environments.)GGGYGGGGGGGGGNo issues
3Application Change Control Process(Application changes follow the standard corporate processes i.e. Harvest or Endevor.)(Verify that emergency changes to applications comply with standards.)RRRGGGGGGRRRGNo issuesExpected Completion Date: 03/19/2012Auditor: Amit Dhasmana/CorpUK/BNYMellon11TETC9913 Logical Access (Mainframe) Q3Q3/2011: Powerful system permissions in the UNISYS computing environment are not effectively controlled and monitored. (High Priority)
4No issues
4Network Device Change Process(Confirm that changes to firewalls and routers are authorized.)GGGGGGGGGGRRRQ3/2013: The tracking system used to validate firewall and router device changes was not capturing all change activity. (High Priority)Closed by Nassos on 3/20
Control Point / Audit Procedure2011201220132013Comments for Current Quarter
Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Issue Track Cheat Sheet
5Database Change Process(Confirm that changes to databases are authorized.)GGGGGGGGGGNo issues
6Change Standards and Procedures(Standards govern the change management process for the Windows, UNIX, VMS, and mainframe platforms, as well as their associated source code version control systems.)(Standards govern ClearCase and Endevor.)GGGGGGRGGYQ1/2014: Risk Control Self-Assessments are incomplete, outdated or missing. (Medium Priority)
7Patch Management Process(Confirm that security patches are evaluated and applied.)YYRRRRRRGGGGGNo issues
Word pic size is "Reset"
ConfigMgt
Control Point / Audit Procedure2011201220132014Comments for Current Quarter
Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Issue Track Cheat Sheet
Continuous Audit RatingQ2/2013: 1 High Priority issue, 1 Medium Priority issueQ4/2013: 1 Medium Priority issue
1Network Device Configurations(Ensure that the templates used for establishing and checking configuration parameters accord with policy and established practices.)(Review results of management's periodic process for confirming compliance with the templates and correcting differences.)(Confirm that configuration parameters match the templates.)GGGGGGGGGGGGGNo issues
2Operating system parameters(Verify that key operating system libraries/files point to the appropriate start-up version.)(Ensure that purpose of all start-up parameters are documented.)(Review documentation on duplicated key operating system members appearing in different libraries.)(Verify that group policy parameters are set securely.)GGGRYYYGGGGGGNo issues
3System Configuration(Verify that logging is enabled.)(Verify that password settings are established in accordance with standards.)(Verify that key security settings are established in accordance with standards.)GGRRRYYGYRRRRQ2/2013: Inadeqaute access controls exist for a large number of share drives throughout the Company. (High Priority)Expected Completion Date: 03/19/2012Auditor: Amit Dhasmana/CorpUK/BNYMellon11TETC9913 Logical Access (Mainframe) Q3Q3/2011: Powerful system permissions in the UNISYS computing environment are not effectively controlled and monitored. (High Priority)
4No issues
Control Point / Audit Procedure2011201220132014Comments for Current Quarter
Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Issue Track Cheat Sheet
4Network Design and Controls(Ensure that network design includes security elements such as IDS/IPS and firewalls in appropriate locations.)(Review firewall rules that govern access.)(Review design and implementation of remote access (VPN) including dual factor authentication and encryption.)(Review design and implementation of wireless entry points including authentication and encryption mechanisms.)YGGGGGGGYYQ4/2013: The process for verifying and maintaining internet firewall configuration is not adequately formalized. (Medium Priority)Closed by Nassos on 3/20
5Database Configuration(Verify that logging is enabled.)(Verify that security settings are established in accordance with standards.)GGGGGGYYGYYYYQ2/2013: Governance over database password complexity enforcement is inappropriate. (Medium Priority)
6Configuration Standards and Procedures(Review standards that govern the configuration of operating systems, security software, databases, and network devices.)GGGGGGGGGGNo issues
7Protection of Workstations(Assess the coverage state of antivirus software.)GGGGYGGGGGNo issues
Word pic size is "Reset"
SysOps
Control Point / Audit Procedure2011201220132014Comments for Current Quarter
Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Issue Track Cheat Sheet
Continuous Audit RatingNo issues
1Authentication Controls(Verify that administrative accounts for the scheduling software belong to current employees or contractors.)(Verify that administrative accounts for the backup software belong to current employees or contractors.)GGGGGGGGGGGGGNo issues
2Back-up Controls(Verify that back-ups are scheduled and successfully executed.)GGGYGGGGGGGGGNo issues
3Incident management processes(Verify that Remedy tickets were closed timely and indicate that the incident was appropriately resolved.)GGGGGGGGGGGGGNo issuesExpected Completion Date: 03/19/2012Auditor: Amit Dhasmana/CorpUK/BNYMellon11TETC9913 Logical Access (Mainframe) Q3Q3/2011: Powerful system permissions in the UNISYS computing environment are not effectively controlled and monitored. (High Priority)
4No issues
4Scheduling Controls(Confirm that changes to schedules are approved.)GGGGGGGGGGNo issuesClosed by Nassos on 3/20
Word pic size is "Reset"
Proj Mgt
Control Point / Audit Procedure2011201220132014Comments for Current Quarter
Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4
Continuous Audit RatingQ3/2013: 2 Medium Priority issues
1Project Governance(Determine how projects are selected, and prioritized, and aligned with Corporate strategy. Review associated policies and procedures.)YGGGNo issues
2Project Framework Definition(Analyze the frameworks(s) in place across the organization and their compliance with industry standards - FFIEC, ITIL, CobiT.)YYYQ3/2013: Lessons learned considerations during planning, and business resource hours are not included as requirements within the System Development Lifecycle (SDLC) Framework. (Medium Priority)
3Project Management(Assess the compliance of Project Management to defined project frameworks, and the quality of delivery.)YYYYYGNo issues
4Project Engagement(Assess the adequacy of stakeholder engagement during projects, to include internal and external communication strategies.)YYGYYYQ3/2013: Support groups are not engaged during project initiation. (Medium Priority)
GDI
Control Point / Audit Procedure2011201220132014Comments for Current Quarter
Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4
Continuous Audit RatingQ1/2014: 1 High Priority issue
1Policies and Procedures(Verify that applicable policies and procedures for the data transmissions are in place and reflect the current environment.)GYYYGNo issues
2Encryption Protocols(Assess the process to protect data transmissions to and from external parties.)GGGNo issues
3Authentication Controls(Determine that external data transmissions received are verified as originating from a known source.)GGGNo issues
4Authorization Controls(Determine that access to data transmission systems are assigned commensurate with job functionality.)GGRQ1/2014: Application support personnel are assigned a powerful SWIFT Alliance Access application profile. (High Priority)
5Monitoring(Confirm that data transmissions are monitored with unsuccessful transmissions of data being recorded and resolved.)GGGNo issues
6Transmission Setup Requests(Verify that request systems and approval workflows exist for the setup or modification of data transmissions.)GGGNo issues
4No issues
Primary Data Centers USA
Control Point / Audit Procedure2011201220132014Comments for Current Quarter
Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4
Continuous Audit RatingQ1/2014: 1 Low Priority issue
1Access Recertification(Assess the process to recertify physical access to the primary data centers.)(Verify the physical access modifications resulting from the recertification were performed in a timely fashion.)GYGGYQ1/2014: An approved request to remove one individuals access to the TPC tape operations room was not executed in a timely manner. (Low Priority)
2Physical Access(Determine that physical access to the primary data centers are assigned commensurate with job functionality.)(Assess the process to authorize individuals physical access to the primary data centers.)(Assess the process to revoke physical access to the primary data centers for those individuals who no longer require access.)GGGNo issues
3Environmental Controls(Assess the preventative maintenance process for environmental control systems including: fire prevention/detection, temperature/humidity, uninterruptible power supply and generator systems.)GGGNo issues
4IT Hardware Asset Management(Assess the process to maintain a comprehensive listing of computing resources maintained within the primary data centers.)GGGNo issues
4No issues
NetworkSec
Control Point / Audit Procedure2011201220132014Comments for Current Quarter
Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Issue Track Cheat Sheet
Continuous Audit RatingNo issues
1Security Incidents(Incidents contain adequate documentation.)(Incidents are investigated and tracked to resolution.)GGGGGGGGGGGGGNo issues
2Polices and Procedures(Assess the adequacy of applicable polices and procedures surrounding global network security.)(Assess segregation of duties between installation and deployment functions to that of reporting and monitoring functions.)GGGGGGGNo issues
3Protection of Internal Network(Assess the process for implementing Intrusion Detection Systems.)(Assess the process for implementing Intrusion Prevention Systems.)YYYYYGGGGGNo issues
4Monitoring(Evaluate the process to monitor, escelate, investigate and resolve intusive network activites.)GGGGGGGGNo issues
5Reporting(Evaluate management reporting practices pertaining to security incidents and suspicious network activity.)GGGGGGGGNo issues
4No issues
Word pic size is "Reset"
CyberSec
Control Point / Audit Procedure2011201220132014Comments for Current Quarter
Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4
Continuous Audit RatingQ2/2013: 2 High Priority issues
1Cyber Security Governance and Reporting(Review adequacy of information security organizational structure and reporting line for sufficient authority.)GGGGRRRRQ2/2013: Employees in international locations are using unapproved and informal translation applications. (High Priority)
2Cyber Security Exercises (Review vulnerability scans/assessments to determine follow through.)(Review of remote access controls.)GGRRRRQ2/2013: Controls to prevent the transfer of Company data to external devices can be bypassed. (High Priority)
3Simulated Hack of Network and Applications(Run independent application security scans / ethical hacks into selective networks and applications.) GGGGGGGGGNo issues
4Signals Intelligence(Wireless security scans / ethical hacks into selective mobile devices.) GGGGGGNo issues
5Web Behavioral Analytics(Email phishing through spoofed email)(Monitoring of network traffic to analyze web behavior)RGGGNo issues
6Operating System Vulnerability Scans(Run security scans / ethical hacks into selective images of Operating Systems.) GGGGGGNo issues
7Web Application Vulnerability Scans(Run back / front door advanced persistent attacks [APTs].) GYYYGNo issues
4
5
6
7
BusinessContinuity
Control Point / Audit Procedure2011201220132014Comments for Current Quarter
Q2Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Issue Track Cheat Sheet
Continuous Audit RatingNo issues
1BCP/DR Requirements Definition, IT Strategy, Plan Development & Implementation(Analyze the overall structure for defining requirements through implementation.)GGGGGGGGGGNo issues
2BCP Plan Review(Analyze BCP plans for comprehensiveness and effective testing and remediation.)GGGGGGGGGGGGGNo issues
3BCP/DR Governance(Review GCP policy and Board and Senior Management oversight.)GGGGGGGGGGGGGGNo issues
4BCP/DR Reporting(Monitor BRC weekly calls)GGGGGGGGGGGGGNo issues
5BCP/DR Exercises (Plan, Execution, Results)(Confirm that recovery exercises have been conducted with appropriate documentation and follow-up.)(Confirm that applications have been tested annually with appropriate documentation and follow-up.)(Confirm that aplications have been tested according to scheduled requirements with appropriate documentation and follow-up.)GYGGGGGGGGGNo issuesExpected Completion Date: 03/19/2012Auditor: Amit Dhasmana/CorpUK/BNYMellon11TETC9913 Logical Access (Mainframe) Q3Q3/2011: Powerful system permissions in the UNISYS computing environment are not effectively controlled and monitored. (High Priority)
4No issues
Word pic size is "Reset"
SPMO
Control Point / Audit Procedure2011201220132014Comments for Current Quarter
Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4
Continuous Audit RatingNo issues
1Administration/Organization(Analyze the organizational framework in place within IRM that handles the service provider management program.)GGGGGGGNo issues
2Training (Ensure training is available to LOB personnel.)GGGGGGNo issues
3Standard Tools(Security of systems/tools in place used to maintain SPM information.)GGGGGGNo issues
4Service Provider Program Documentation(Completeness and accuracy of compiled data and Attestation Process.)GGGGGGNo issues
5Individual Service Provider Documentation(SPM database contains current information relating to individual SPs deemed important.)GGGGGGNo issues
6Site Visits(Procedures and processes to conduct site visits for service providers.)GGGGGGNo issues
7Oversight, Support and Escalation Related to Service Providers(Follow-through of Responsibilities, Notification and Escalation, Review of Service Provider Management Reports)GGGGGGGGGNo issues
4
5
6
7
Social Media
Control Point / Audit Procedure2011201220132014Comments for Current Quarter
Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4
Continuous Audit RatingNo issues
1Governance(Determine if policies and procedures regarding social media are up to date and reflect current conditions.)(Assess established governance structure for appropriate representation and adequacy.)GGGGGGNo issues
2System Access Controls(Ascertain the appropriateness of system authentication controls and user provisioning to social media tools.)(Determine if access controls are assigned commensurate with job responsibilities.)YYGGNo issues
3Content Change Controls(Ascertain the appropriateness of the processes to create, modify, approve and publish social media content.)(Ascertain the processes to detect and identify unauthorized social media content.)GGGNo issues
4Monitoring of Brand(Ascertain the processes to review social media sites for awareness of non-corporate social media usage affecting the Company.)(Ascertain the escalation processes for any potential issues based on a set of pre-determined procedures.)GGGNo issues
4No issues
Asset Servicing Core Apps
Control Point / Audit Procedure20122013Comments for Current Quarter
Q1Q2Q3Q4Q1
Continuous Audit RatingNo issues
1Logical Access Controls and MonitoringVerify that passwords are configured in line with policy and remain compliant during the year, user authentication to the application complies with the Companys policy, logs exist which support the identification of security events in line with the criticality of the application.GYGGGNo issues
2Segregation of DutiesVerify that privileged accounts are documented, and have a clear ownership, IT developers have no access to production, Super Access is limited to appropriate individuals and duplicate/inactive user accounts are disabled/removed to prevent access misuse.GYGGGNo issues
3Application StabilityAvailability reports are maintained and actively monitored against business expectations or vendor SLAs, application incidents are monitored, escalated and resolved as appropriate (including involvement of third party vendor support)GGGGGNo issues
4Application Change ManagementVerify that application changes follow the standard corporate processes, i.e. Harvest or Endevor. Where the corporate process is not followed, changes are managed following controls which provide the same level of assurance.GGGGGNo issues
Control Point / Audit Procedure
Qtr 1, 2011
Qtr 2, 2011
Qtr 3, 2011
Qtr 4, 2011
Comments for Current Quarter
1
Authentication Controls
(Verify that active user accounts belong to current employees or contractors.)
(Review access to key operating system libraries/files.)
G
No issues
2
Prevention of improper modifications: Protection of system resources
(Verify that key security settings are established in accordance with standards.)
(Review controls implemented through key RACF, Top Secret and ACF2 files.)
G
G
G
G
No issues
3
Monitoring: Detection of improper access
(Assess the process for reviewing logs.)
(Verify that activity of highly privileged accounts is reviewed.)
Y
Y
R
R
Q3/2011: Powerful system permissions in the UNISYS computing environment are not effectively controlled and monitored. (High Priority)
4
Provisioning
(Assess the process for granting and revoking user access to operating systems and applications.)
G
G
G
G
No issues
5
Recertifying
(Assess the process for recertifying user access.)
G
No issues
Audit Rating
Q3/2011: 1 High Priority issue
Control Point / Audit Procedure
Qtr 1,
2011
Qtr 2,
2011
Qtr 3,
2011
Qtr 4,
2011
Comments for Current Quarter
1
Authentication Controls
(Verify that active user accounts belong to current
employees or contractors.)
(Review access to key operating system libraries/files.)
G No issues
2
Prevention of improper modifications: Protection of system
resources
(Verify that key security settings are established in
accordance with standards.)
(Review controls implemented through key RACF, Top
Secret and ACF2 files.)
G G G G No issues
3
Monitoring: Detection of improper access
(Assess the process for reviewing logs.)
(Verify that activity of highly privileged accounts is
reviewed.)
Y Y R R
Q3/2011: Powerful system permissions in the
UNISYS computing environment are not
effectively controlled and monitored. (High
Priority)
4
Provisioning
(Assess the process for granting and revoking user access to
operating systems and applications.)
G G G G No issues
5
Recertifying
(Assess the process for recertifying user access.)
G No issues
Audit Rating
Q3/2011: 1 High Priority issue
Control Point / Audit Procedure
Qtr 1, 2011
Qtr 2, 2011
Qtr 3, 2011
Qtr 4, 2011
Comments for Current Quarter
1
Authentication Controls
(Verify that active user accounts belong to current employees or contractors.)
(Review access to key operating system libraries/files.)
Y
Y
Y
G
Q4/2011: Administrative access to firewalls is not periodically reviewed. (Low Priority)
2
Authorization Controls
(Review authorization levels of key accounts.)
R
R
R
R
Q3/2011: An excessive number of user accounts-30,337 specific accounts and 85,170 total accounts-have administrator access across the global Windows environment. (High Priority)
3
Prevention of improper modifications: Protection of system resources
(Verify that key security settings are set in accordance with standards.)
Protection of production UDT
(Verify UDT is adequately protected from improper modifications.)
Y
G
G
G
No issues
4
Monitoring: Detection of improper access
(Assess the process for reviewing logs.)
(Verify that activity of highly privileged accounts is reviewed.)
G
R
Q4/2011: Local account access management in the Windows environment is inappropriate. (Medium Priority)
Q4/2011: Access controls to BlueCoat servers are inappropriate. (Medium Priority)
Q4/2011: Administrators share a highly privileged account in the Federation Manager system. (Low Priority)
5
Provisioning
(Assess the process for granting and revoking user access to operating systems and applications.)
(Review the process for adding users to TACACS.)
G
G
G
Y
Q4/2011: Temporary access to OpenVMS accounts with elevated privileges is inadequate. (Medium Priority)
6
Recertifying
(Assess the process for recertifying user access.)
G
G
Y
Y
Q3/2011: Exceptions for obtaining write access to USB storage devices are not being recertified. (Medium Priority)
Audit Rating
Q3/2011: 1 High Priority issue, 1 Medium Priority issue
Q4/2011: 3 Medium Priority issues, 2 Low Priority issues
Control Point / Audit Procedure
Qtr 1,
2011
Qtr 2,
2011
Qtr 3,
2011
Qtr 4,
2011
Comments for Current Quarter
1
Authentication Controls
(Verify that active user accounts belong to current
employees or contractors.)
(Review access to key operating system libraries/files.)
Y Y Y G
Q4/2011: Administrative access to firewalls is
not periodically reviewed. (Low Priority)
2
Authorization Controls
(Review authorization levels of key accounts.)
R R R R
Q3/2011: An excessive number of user accounts -
30,337 specific accounts and 85,170 total
accounts-have administrator access across the
global Windows environment. (High Priority)
3
Prevention of improper modifications: Protection of system
resources
(Verify that key security settings are set in accordance with
standards.)
Protection of production UDT
(Verify UDT is adequately protected from improper
modifications.)
Y G G G No issues
4
Monitoring: Detection of improper access
(Assess the process for reviewing logs.)
(Verify that activity of highly privileged accounts is
reviewed.)
G R
Q4/2011: Local account access management in
the Windows environment is inappropriate.
(Medium Priority)
Q4/2011: Access controls to BlueCoat servers are
inappropriate. (Medium Priority)
Q4/2011: Administrators share a highly
privileged account in the Federation Manager
system. (Low Priority)
5
Provisioning
(Assess the process for granting and revoking user access to
operating systems and applications.)
(Review the process for adding users to TACACS.)
G G G Y
Q4/2011: Temporary access to OpenVMS
accounts with elevated privileges is inadequate.
(Medium Priority)
6
Recertifying
(Assess the process for recertifying user access.)
G G Y Y
Q3/2011: Exceptions for obtaining write access
to USB storage devices are not being recertified.
(Medium Priority)
Audit Rating
Q3/2011: 1 High Priority issue, 1 Medium
Priority issue
Q4/2011: 3 Medium Priority issues, 2 Low
Priority issues
Control Point / Audit Procedure
Qtr 1, 2011
Qtr 2, 2011
Qtr 3, 2011
Qtr 4, 2011
Comments for Current Quarter
Authentication Controls
(Verify that administrative accounts for Remedy belong to current employees or contractors.)
(Verify that administrative accounts for SCCB belong to current employees and/or contractors that have a business need for the access.)
G
G
G
G
No issues
Authorization Controls: Segregation of Duties
(Level of access that developers have in Harvest and production.)
(Level of access that Harvest Administrators have in the production environment.)
(Separate development and production environments.)
G
G
G
Y
Q4/2011: An IT developer has unrestricted access to a Pershing UK production server. (Medium Priority)
Application Change Control Process
(Confirm that application changes are authorized.)
(Verify that emergency changes to applications comply with standards.)
R
R
R
G
No issues
Network Device Change Process
(Confirm that changes to firewalls and routers are authorized.)
G
G
G
G
No issues
Database Change Process
(Confirm that changes to databases are authorized.)
G
No issues
Change Standards and Procedures
(Standards govern the change management process for the Windows, UNIX, VMS, and mainframe platforms, as well as their associated source code version control systems.)
(Standards govern ClearCase and Endevor)
G
No issues
Patch Management Process
(Confirm that security patches are evaluated and applied.)
Y
Y
R
R
Q3/2011: Technology governance over the administration and application of patches to the Companys computing infrastructure is ineffective. (High Priority)
Audit Rating
Q3/2011: 1 High Priority issue
Q4/2011: 1 Medium Priority issue
Control Point / Audit Procedure
Qtr 1,
2011
Qtr 2,
2011
Qtr 3,
2011
Qtr 4,
2011
Comments for Current Quarter
Authentication Controls
(Verify that administrative accounts for Remedy belong to
current employees or contractors.)
(Verify that administrative accounts for SCCB belong to
current employees and/or contractors that have a
business need for the access.)
G G G G No issues
Authorization Controls: Segregation of Duties
(Level of access that developers have in Harvest and
production.)
(Level of access that Harvest Administrators have in the
production environment.)
(Separate development and production environments.)
G G G Y
Q4/2011: An IT developer has unrestricted
access to a Pershing UK production server.
(Medium Priority)
Application Change Control Process
(Confirm that application changes are authorized.)
(Verify that emergency changes to applications comply with
standards.)
R R R G No issues
Network Device Change Process
(Confirm that changes to firewalls and routers are
authorized.)
G G G G No issues
Database Change Process
(Confirm that changes to databases are authorized.)
G No issues
Change Standards and Procedures
(Standards govern the change management process for the
Windows, UNIX, VMS, and mainframe platforms, as well
as their associated source code version control systems.)
(Standards govern ClearCase and Endevor)
G No issues
Patch Management Process
(Confirm that security patches are evaluated and applied.)
Y Y R R
Q3/2011: Technology governance over the
administration and application of patches to the
Companys computing infrastructure is
ineffective. (High Priority)
Audit Rating
Q3/2011: 1 High Priority issue
Q4/2011: 1 Medium Priority issue
Control Point / Audit Procedure
Qtr 1, 2011
Qtr 2, 2011
Qtr 3, 2011
Qtr 4, 2011
Comments for Current Quarter
1
Network Device Configurations
(Ensure that the templates used for establishing and checking configuration parameters accord with policy and established practices.)
(Review results of management's periodic process for confirming compliance with the templates and correcting differences.)
(Confirm that configuration parameters match the templates.)
G
G
G
G
No issues
2
Operating system parameters
(Verify that key operating system libraries/files point to the appropriate start-up version.)
(Ensure that purpose of all start-up parameters are documented.)
(Review documentation on duplicated key operating system members appearing in different libraries.)
(Verify that group policy parameters are set securely.)
G
G
G
R
Q4/2011: Critical configurations in the Windows environment are inappropriate. (High Priority)
3
System Configuration
(Verify that logging is enabled.)
(Verify that password settings are established in accordance with standards.)
(Verify that key security settings are established in accordance with standards.)
G
G
R
R
Q3/2011: A critical setting in the UNIX environment is set to allow unrestricted system access to several production servers. (High Priority)
Q4/2011: UNIX servers do not have anti-virus software installed and are not being scanned for vulnerabilities. (High Priority)
Q4/2011: UNIX servers password parameters are not configured appropriately. (Medium Priority)
4
Network Design and Controls
(Ensure that network design includes security elements such as IDS/IPS and firewalls in appropriate locations.)
(Review firewall rules that govern access.)
(Review design and implementation of remote access (VPN) including dual factor authentication and encryption.)
(Review design and implementation of wireless entry points including authentication and encryption mechanisms.)
Y
Q4/2011: Firewalls are not configured appropriately. (Medium Priority)
5
Database Configuration
(Verify that logging is enabled.)
(Verify that security settings are established in accordance with standards.)
G
G
G
G
No issues
6
Configuration Standards and Procedures
(Review standards that govern the configuration of operating systems, security software, databases, and network devices.)
G
Q2/2011: Database security standards are outdated, inconsistent across heritage database platforms, and not aligned with the Corporate Authentication Policy [self-identified]. (Low Priority)
Audit Rating
Q2/2011: 1 Low Priority issue
Q3/2011: 1 High Priority issue
Q4/2011: 2 High Priority issues, 2 Medium Priority issues
Control Point / Audit Procedure
Qtr 1,
2011
Qtr 2,
2011
Qtr 3,
2011
Qtr 4,
2011
Comments for Current Quarter
1
Network Device Configurations
(Ensure that the templates used for establishing and
checking configuration parameters accord with policy
and established practices.)
(Review results of management's periodic process for
confirming compliance with the templates and correcting
differences.)
(Confirm that configuration paramet ers match the
templates.)
G G G G No issues
2
Operating system parameters
(Verify that key operating system libraries/files point to the
appropriate start-up version.)
(Ensure that purpose of all start -up parameters are
documented.)
(Review documentation on duplicated key operating system
members appearing in different libraries.)
(Verify that group policy parameters are set securely.)
G G G R
Q4/2011: Critical configurations in the Windows
environment are inappropriate. (High Priority)
3
System Configuration
(Verify that logging is enabled.)
(Verify that password settings are established in accordance
with standards.)
(Verify that key security settings are established in
accordance with standards.)
G G R R
Q3/2011: A critical setting in the UNIX
environment is set to allow unrestricted system
access to several production servers. (High
Priority)
Q4/2011: UNIX servers do not have anti -virus
software installed and are not being scanned for
vulnerabilities. (High Priority)
Q4/2011: UNIX servers password parameters
are not configured appropriately. (Medium
Priority)
Control Point / Audit Procedure
Qtr 1, 2011
Qtr 2, 2011
Qtr 3, 2011
Qtr 4, 2011
Comments for Current Quarter
1
Authentication Controls
(Verify that administrative accounts for the scheduling software belong to current employees or contractors.)
(Verify that administrative accounts for the backup software belong to current employees or contractors.)
G
G
G
G
No issues
2
Back-up Controls
(Verify that back-ups are scheduled and successfully executed.)
G
G
G
Y
Q4/2011: Back-up tapes with Highly Confidential Information are not protected from unauthorized removal from the data centers in which they reside. (Low Priority)
3
Incident management processes
(Verify that Remedy tickets were closed timely and indicate that the incident was appropriately resolved.)
G
G
G
G
No issues
4
Scheduling Controls
(Confirm that changes to schedules are approved.)
G
No issues
Audit Rating
Q4/2011: 1 Low Priority issue
Control Point / Audit Procedure
Qtr 1,
2011
Qtr 2,
2011
Qtr 3,
2011
Qtr 4,
2011
Comments for Current Quarter
1
Authentication Controls
(Verify that administrative accounts for the scheduling
software belong to current employees or contractors.)
(Verify that administrative accounts for the backup
software belong to current employees or contractors.)
G G G G No issues
2
Back-up Controls
(Verify that back-ups are scheduled and successfully
executed.)
G G G Y
Q4/2011: Back-up tapes with Highly
Confidential Information are not protected from
unauthorized removal from the data centers in
which they reside. (Low Priority)
3
Incident management processes
(Verify that Remedy tickets were closed timely and indicate
that the incident was appropriately resolved.)
G G G G No issues
4
Scheduling Controls
(Confirm that changes to schedules are approved.)
G No issues
Audit Rating
Q4/2011: 1 Low Priority issue
Control Point / Audit Procedure
Qtr 1, 2011
Qtr 2, 2011
Qtr 3, 2011
Qtr 4, 2011
Comments for Current Quarter
1
Security Incidents
(Incidents contain adequate documentation.)
(Incidents are investigated and tracked to resolution.)
G
G
G
G
No issues
2
Protection of Internal Network
(Assess the process for implementing Intrusion Detection Systems.)
(Assess the process for implementing Intrusion Prevention Systems.)
Y
Q4/2011: Four Internet gateways do not have forensic software installed. (Medium Priority)
Q4/2011: BlueCoat logs are not encrypted when they are sent to ArchSight. (Low Priority)
3
Protection of Workstations
(Assess the coverage state of antivirus software.)
G
No issues
Audit Rating
Q4/2011: 1 Medium Priority issue, 1 Low Priority issue
Control Point / Audit Procedure
Qtr 1,
2011
Qtr 2,
2011
Qtr 3,
2011
Qtr 4,
2011
Comments for Current Quarter
1
Security Incidents
(Incidents contain adequate documentation.)
(Incidents are investigated and tracked to resolution.)
G G G G No issues
2
Protection of Internal Network
(Assess the process for implementing Intrusion Detection
Systems.)
(Assess the process for implementing Intrusion Prevention
Systems.)
Y
Q4/2011: Four Internet gateways do not have
forensic software installed. (Medium Priority)
Q4/2011: BlueCoat logs are not encrypted when
they are sent to ArchSight. (Low Priority)
3
Protection of Workstations
(Assess the coverage state of antivirus software.)
G No issues
Audit Rating
Q4/2011: 1 Medium Priority issue, 1 Low
Priority issue
Control Point / Audit Procedure
Qtr 1, 2011
Qtr 2, 2011
Qtr 3, 2011
Qtr 4, 2011
Comments for Current Quarter
1
BCP/DR Requirements Definition, IT Strategy, Plan Development & Implementation
(Analyze the overall structure for defining requirements through implementation.)
G
No issues
2
BCP/DR Governance and Reporting
(Review reports describing test results and corrective steps to be taken.)
G
G
G
G
No issues
3
BCP/DR Exercises (Plan, Execution, Results)
(Confirm that all applications have been tested according to scheduled requirements.)
Y
Y
Q4/2011: NTAS application successful recovery cannot be demonstrated. (Medium Priority)
Q4/2011: The disaster recovery test results in Asia do not always represent the achieved recovery times. (Medium Priority)
Overall Audit Procedure Rating
Q4/2011: 2 Medium Priority issues
Control Point / Audit Procedure
Qtr 1,
2011
Qtr 2,
2011
Qtr 3,
2011
Qtr 4,
2011
Comments for Current Quarter
1
BCP/DR Requirements Definition, IT Strategy, Plan
Development & Implementation
(Analyze the overall structure for defining requirements
through implementation.)
G No issues
2
BCP/DR Governance and Reporting
(Review reports describing test results and corrective steps
to be taken.)
G G G G No issues
3
BCP/DR Exercises (Plan, Execution, Results)
(Confirm that all applications have been tested according
to scheduled requirements.)
Y Y
Q4/2011: NTAS application successful recovery
cannot be demonstrated. (Medium Priority)
Q4/2011: The disaster recovery test results in
Asia do not always represent the achieved
recovery times. (Medium Priority)
Overall Audit Procedure Rating
Q4/2011: 2 Medium Priority issues
Cathy's Version
Continuous Audit / ComponentQtr 1, 20102011201220132014Comments for Current Quarter
Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4
Information Technology
Logical Access (Mainframe) No issues
ACF2GGGGGGGGGGGGG
RACFYYGGGGGGGGGGG
Top Secret SecurityGGGGGGGGGGGGG
Application Security Database SystemGGGGGGGGGGGGG
MVS and Mainframe SoftwareGGRRGGGGGGGGG
Enterprise Database Management SystemsGGGGGGGGGGGGG
Data Security Administration - PershingGGGGGGGGGGGGG
Data Security AdministrationGGGGGGGGGGGGG
Logical Access (Distributed) Q4/2013: 1 High Priority issue, 1 Medium Priority issue
Windows/Active DirectoryRRRRRRRRRRRYYG
OpenVMSGGGYGGGGGGGGG
Unix and Linux Operating SystemsGGGGGGGGGGGYY
Network Security & AdministrationGGGYGGGGGGGGG
Enterprise Database Management SystemsYYYGGGGGGGGGG
Data Security AdministrationGGGGGGGGGYGRR
Global Change Management Q3/2013: 1 High Priority issueQ1/2014: 1 Medium Priority issue
CentralizedYYYYYYRRGYYYY
DecentralizedGGGGGYYYG
Global Configuration Management Q2/2013: 1 High Priority issue, 1 Medium Priority issueQ4/2013: 1 Medium Priority issue
MainframeGGGGGGGGGGGGG
Distributed GGRRRRYYYRRRR
NetworkGGGYGGGGGGGGG
Global System Operations No issues
Global Project ManagementQ3/2013: 2 Medium Priority issues
Software Development Lifecycle (SDLC)GGYYYY
Infrastructure Development Lifecycle (IDLC)YYGGGG
Pershing Project Lifecycle (PPLC)YYGGGG
Global Data InterchangeNo issues
Primary Data Centers - USAQ1/2014: 1 Low Priority issue
Global Network Security No issues
Cyber SecurityQ2/2013: 2 High Priority issues
Risk and Compliance
Global Business Continuity No issues
Service Provider Management OfficeNo issues
Marketing & Corporate Affairs
Social MediaNo issues
Logical Access (MF)
Control Point / Audit Procedure2011201220132014Comments for Current Quarter
Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Issue Track Cheat Sheet
Continuous Audit RatingNo issues
1Authentication Controls(Verify that active user accounts belong to current employees or contractors.)(Review access to key operating system libraries/files.)GGGGGGGGGGNo issues
2Prevention of improper modifications: Protection of system resources(Verify that key security settings are established in accordance with standards.)(Review controls implemented through key RACF, Top Secret and ACF2 files.)GGGGGGGGGGGGGNo issues
3Monitoring: Detection of improper access(Assess the process for reviewing logs.)(Verify that activity of highly privileged accounts is reviewed.)YYRRGGGGGGGGGNo issuesExpected Completion Date: 03/19/2012Auditor: Amit Dhasmana/CorpUK/BNYMellon11TETC9913 Logical Access (Mainframe) Q3Q3/2011: Powerful system permissions in the UNISYS computing environment are not effectively controlled and monitored. (High Priority)
4No issues
4Provisioning(Assess the process for granting and revoking user access to operating systems and applications.)GGGGGGGGGGGGGNo issuesClosed by Nassos on 3/20
5Recertifying(Assess the process for recertifying user access.)GGGGGGGGGGNo issues
Word pic size is "Reset"
Logical Access (Dist)
Control Point / Audit Procedure2011201220132014Comments for Current Quarter
Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Issue Track Cheat Sheet
Continuous Audit RatingQ4/2013: 1 High Priority issue, 1 Medium Priority issue
1Authentication Controls(Verify that active user accounts belong to current employees or contractors.)(Review access to key operating system libraries/files.)YYYGGGGGGGGGGNo issues
2Authorization Controls(Review authorization levels of key accounts.)RRRRRRRRRRYYYQ4/2013: The UNIX server support model employed by Pershing requires a large number of users to be assigned root access. (Medium Priority)
3Prevention of improper modifications: Protection of system resources(Verify that key security settings are set in accordance with standards.)Protection of production UDTs(Verify UDTs are adequately protected from improper modifications.)YYRGGGGGGGGRRQ4/2013: A significant number of employees can amend the account details of approved payment files prior to their final submission to BACS for disbursement. (High Priority)Expected Completion Date: 03/19/2012Auditor: Amit Dhasmana/CorpUK/BNYMellon11TETC9913 Logical Access (Mainframe) Q3Q3/2011: Powerful system permissions in the UNISYS computing environment are not effectively controlled and monitored. (High Priority)
4No issues
Control Point / Audit Procedure2011201220132014Comments for Current Quarter
Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Issue Track Cheat Sheet
4Monitoring: Detection of improper access(Assess the process for reviewing logs.)(Verify that activity of highly privileged accounts is reviewed.)GRYYYGGGGGGNo issuesClosed by Nassos on 3/20
5Provisioning(Assess the process for granting and revoking user access to operating systems and applications.)GGGYGGGGGYGGGNo issues
6Recertifying(Assess the process for recertifying user access.)GGYYGGGGGGGGGNo issues
Word pic size is "Reset"
ChgMgt
Control Point / Audit Procedure2011201220132014Comments for Current Quarter
Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Issue Track Cheat Sheet
Continuous Audit RatingQ3/2013: 1 High Priority issueQ1/2014: 1 Medium Priority issue
1Authentication Controls(Verify that administrative accounts for Remedy belong to current employees or contractors.)(Verify that administrative accounts for SCCB belong to current employees and/or contractors that have a business need for the access.)GGGGGGGGGGGGGNo issues
2Authorization Controls: Segregation of Duties(Level of access that developers have in Harvest and production.)(Level of access that Harvest Administrators have in the production environment.)(Separate development and production environments.)GGGYGGGGGGGGGNo issues
3Application Change Control Process(Application changes follow the standard corporate processes i.e. Harvest or Endevor.)(Verify that emergency changes to applications comply with standards.)RRRGGGGGGRRRGNo issuesExpected Completion Date: 03/19/2012Auditor: Amit Dhasmana/CorpUK/BNYMellon11TETC9913 Logical Access (Mainframe) Q3Q3/2011: Powerful system permissions in the UNISYS computing environment are not effectively controlled and monitored. (High Priority)
4No issues
4Network Device Change Process(Confirm that changes to firewalls and routers are authorized.)GGGGGGGGGGRRRQ3/2013: The tracking system used to validate firewall and router device changes was not capturing all change activity. (High Priority)Closed by Nassos on 3/20
Control Point / Audit Procedure2011201220132013Comments for Current Quarter
Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Issue Track Cheat Sheet
5Database Change Process(Confirm that changes to databases are authorized.)GGGGGGGGGGNo issues
6Change Standards and Procedures(Standards govern the change management process for the Windows, UNIX, VMS, and mainframe platforms, as well as their associated source code version control systems.)(Standards govern ClearCase and Endevor.)GGGGGGRGGYQ1/2014: Risk Control Self-Assessments are incomplete, outdated or missing. (Medium Priority)
7Patch Management Process(Confirm that security patches are evaluated and applied.)YYRRRRRRGGGGGNo issues
Word pic size is "Reset"
ConfigMgt
Control Point / Audit Procedure2011201220132014Comments for Current Quarter
Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Issue Track Cheat Sheet
Continuous Audit RatingQ2/2013: 1 High Priority issue, 1 Medium Priority issueQ4/2013: 1 Medium Priority issue
1Network Device Configurations(Ensure that the templates used for establishing and checking configuration parameters accord with policy and established practices.)(Review results of management's periodic process for confirming compliance with the templates and correcting differences.)(Confirm that configuration parameters match the templates.)GGGGGGGGGGGGGNo issues
2Operating system parameters(Verify that key operating system libraries/files point to the appropriate start-up version.)(Ensure that purpose of all start-up parameters are documented.)(Review documentation on duplicated key operating system members appearing in different libraries.)(Verify that group policy parameters are set securely.)GGGRYYYGGGGGGNo issues
3System Configuration(Verify that logging is enabled.)(Verify that password settings are established in accordance with standards.)(Verify that key security settings are established in accordance with standards.)GGRRRYYGYRRRRQ2/2013: Inadeqaute access controls exist for a large number of share drives throughout the Company. (High Priority)Expected Completion Date: 03/19/2012Auditor: Amit Dhasmana/CorpUK/BNYMellon11TETC9913 Logical Access (Mainframe) Q3Q3/2011: Powerful system permissions in the UNISYS computing environment are not effectively controlled and monitored. (High Priority)
4No issues
Control Point / Audit Procedure2011201220132014Comments for Current Quarter
Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Issue Track Cheat Sheet
4Network Design and Controls(Ensure that network design includes security elements such as IDS/IPS and firewalls in appropriate locations.)(Review firewall rules that govern access.)(Review design and implementation of remote access (VPN) including dual factor authentication and encryption.)(Review design and implementation of wireless entry points including authentication and encryption mechanisms.)YGGGGGGGYYQ4/2013: The process for verifying and maintaining internet firewall configuration is not adequately formalized. (Medium Priority)Closed by Nassos on 3/20
5Database Configuration(Verify that logging is enabled.)(Verify that security settings are established in accordance with standards.)GGGGGGYYGYYYYQ2/2013: Governance over database password complexity enforcement is inappropriate. (Medium Priority)
6Configuration Standards and Procedures(Review standards that govern the configuration of operating systems, security software, databases, and network devices.)GGGGGGGGGGNo issues
7Protection of Workstations(Assess the coverage state of antivirus software.)GGGGYGGGGGNo issues
Word pic size is "Reset"
SysOps
Control Point / Audit Procedure2011201220132014Comments for Current Quarter
Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Issue Track Cheat Sheet
Continuous Audit RatingNo issues
1Authentication Controls(Verify that administrative accounts for the scheduling software belong to current employees or contractors.)(Verify that administrative accounts for the backup software belong to current employees or contractors.)GGGGGGGGGGGGGNo issues
2Back-up Controls(Verify that back-ups are scheduled and successfully executed.)GGGYGGGGGGGGGNo issues
3Incident management processes(Verify that Remedy tickets were closed timely and indicate that the incident was appropriately resolved.)GGGGGGGGGGGGGNo issuesExpected Completion Date: 03/19/2012Auditor: Amit Dhasmana/CorpUK/BNYMellon11TETC9913 Logical Access (Mainframe) Q3Q3/2011: Powerful system permissions in the UNISYS computing environment are not effectively controlled and monitored. (High Priority)
4No issues
4Scheduling Controls(Confirm that changes to schedules are approved.)GGGGGGGGGGNo issuesClosed by Nassos on 3/20
Word pic size is "Reset"
Proj Mgt
Control Point / Audit Procedure2011201220132014Comments for Current Quarter
Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4
Continuous Audit RatingQ3/2013: 2 Medium Priority issues
1Project Governance(Determine how projects are selected, and prioritized, and aligned with Corporate strategy. Review associated policies and procedures.)YGGGNo issues
2Project Framework Definition(Analyze the frameworks(s) in place across the organization and their compliance with industry standards - FFIEC, ITIL, CobiT.)YYYQ3/2013: Lessons learned considerations during planning, and business resource hours are not included as requirements within the System Development Lifecycle (SDLC) Framework. (Medium Priority)
3Project Management(Assess the compliance of Project Management to defined project frameworks, and the quality of delivery.)YYYYYGNo issues
4Project Engagement(Assess the adequacy of stakeholder engagement during projects, to include internal and external communication strategies.)YYGYYYQ3/2013: Support groups are not engaged during project initiation. (Medium Priority)
GDI
Control Point / Audit Procedure2011201220132014Comments for Current Quarter
Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4
Continuous Audit RatingNo issues
1Policies and Procedures(Verify that applicable policies and procedures for the data transmissions are in place and reflect the current environment.)GYYYGNo issues
2Encryption Protocols(Assess the process to protect data transmissions to and from external parties.)GGGNo issues
3Authentication Controls(Determine that external data transmissions received are verified as originating from a known source.)GGGNo issues
4Authorization Controls(Determine that access to data transmission systems are assigned commensurate with job functionality.)GGGNo issues
5Monitoring(Confirm that data transmissions are monitored with unsuccessful transmissions of data being recorded and resolved.)GGGNo issues
6Transmission Setup Requests(Verify that request systems and approval workflows exist for the setup or modification of data transmissions.)GGGNo issues
4No issues
Primary Data Centers USA
Control Point / Audit Procedure2011201220132014Comments for Current Quarter
Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4
Continuous Audit RatingQ1/2014: 1 Low Priority issue
1Access Recertification(Assess the process to recertify physical access to the primary data centers.)(Verify the physical access modifications resulting from the recertification were performed in a timely fashion.)GYGGGQ1/2014: An approved request to remove one individuals access to the TPC tape operations room was not executed in a timely manner. (Low Priority)
2Physical Access(Determine that physical access to the primary data centers are assigned commensurate with job functionality.)(Assess the process to authorize individuals physical access to the primary data centers.)(Assess the process to revoke physical access to the primary data centers for those individuals who no longer require access.)GGGNo issues
3Environmental Controls(Assess the preventative maintenance process for environmental control systems including: fire prevention/detection, temperature/humidity, uninterruptible power supply and generator systems.)GGGNo issues
4IT Hardware Asset Management(Assess the process to maintain a comprehensive listing of computing resources maintained within the primary data centers.)GGGNo issues
4No issues
NetworkSec
Control Point / Audit Procedure2011201220132014Comments for Current Quarter
Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Issue Track Cheat Sheet
Continuous Audit RatingNo issues
1Security Incidents(Incidents contain adequate documentation.)(Incidents are investigated and tracked to resolution.)GGGGGGGGGGGGGNo issues
2Polices and Procedures(Assess the adequacy of applicable polices and procedures surrounding global network security.)(Assess segregation of duties between installation and deployment functions to that of reporting and monitoring functions.)GGGGGGGNo issues
3Protection of Internal Network(Assess the process for implementing Intrusion Detection Systems.)(Assess the process for implementing Intrusion Prevention Systems.)YYYYYGGGGGNo issues
4Monitoring(Evaluate the process to monitor, escelate, investigate and resolve intusive network activites.)GGGGGGGGNo issues
5Reporting(Evaluate management reporting practices pertaining to security incidents and suspicious network activity.)GGGGGGGGNo issues
4No issues
Word pic size is "Reset"
CyberSec
Control Point / Audit Procedure2011201220132014Comments for Current Quarter
Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4
Continuous Audit RatingQ2/2013: 2 High Priority issues
1Cyber Security Governance and Reporting(Review adequacy of information security organizational structure and reporting line for sufficient authority.)GGGGRRRRQ2/2013: Employees in international locations are using unapproved and informal translation applications. (High Priority)
2Cyber Security Exercises (Review vulnerability scans/assessments to determine follow through.)(Review of remote access controls.)GGRRRRQ2/2013: Controls to prevent the transfer of Company data to external devices can be bypassed. (High Priority)
3Simulated Hack of Network and Applications(Run independent application security scans / ethical hacks into selective networks and applications.) GGGGGGGGGNo issues
4Signals Intelligence(Wireless security scans / ethical hacks into selective mobile devices.) GGGGGGNo issues
5Web Behavioral Analytics(Email phishing through spoofed email)(Monitoring of network traffic to analyze web behavior)RGGGNo issues
6Operating System Vulnerability Scans(Run security scans / ethical hacks into selective images of Operating Systems.) GGGGGGNo issues
7Web Application Vulnerability Scans(Run back / front door advanced persistent attacks [APTs].) GYYYGNo issues
4
5
6
7
BusinessContinuity
Control Point / Audit Procedure2011201220132014Comments for Current Quarter
Q2Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Issue Track Cheat Sheet
Continuous Audit RatingNo issues
1BCP/DR Requirements Definition, IT Strategy, Plan Development & Implementation(Analyze the overall structure for defining requirements through implementation.)GGGGGGGGGGNo issues
2BCP Plan Review(Analyze BCP plans for comprehensiveness and effective testing and remediation.)GGGGGGGGGGGGGNo issues
3BCP/DR Governance(Review GCP policy and Board and Senior Management oversight.)GGGGGGGGGGGGGGNo issues
4BCP/DR Reporting(Monitor BRC weekly calls)GGGGGGGGGGGGGNo issues
5BCP/DR Exercises (Plan, Execution, Results)(Confirm that recovery exercises have been conducted with appropriate documentation and follow-up.)(Confirm that applications have been tested annually with appropriate documentation and follow-up.)(Confirm that aplications have been tested according to scheduled requirements with appropriate documentation and follow-up.)GYGGGGGGGGGNo issuesExpected Completion Date: 03/19/2012Auditor: Amit Dhasmana/CorpUK/BNYMellon11TETC9913 Logical Access (Mainframe) Q3Q3/2011: Powerful system permissions in the UNISYS computing environment are not effectively controlled and monitored. (High Priority)
4No issues
Word pic size is "Reset"
SPMO
Control Point / Audit Procedure2011201220132014Comments for Current Quarter
Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4
Continuous Audit RatingNo issues
1Administration/Organization(Analyze the organizational framework in place within IRM that handles the service provider management program.)GGGGGGGNo issues
2Training (Ensure training is available to LOB personnel.)GGGGGGNo issues
3Standard Tools(Security of systems/tools in place used to maintain SPM information.)GGGGGGNo issues
4Service Provider Program Documentation(Completeness and accuracy of compiled data and Attestation Process.)GGGGGGNo issues
5Individual Service Provider Documentation(SPM database contains current information relating to individual SPs deemed important.)GGGGGGNo issues
6Site Visits(Procedures and processes to conduct site visits for service providers.)GGGGGGNo issues
7Oversight, Support and Escalation Related to Service Providers(Follow-through of Responsibilities, Notification and Escalation, Review of Service Provider Management Reports)GGGGGGGGGNo issues
4
5
6
7
Social Media
Control Point / Audit Procedure2011201220132014Comments for Current Quarter
Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4
Continuous Audit RatingNo issues
1Governance(Determine if policies and procedures regarding social media are up to date and reflect current conditions.)(Assess established governance structure for appropriate representation and adequacy.)GGGGGGNo issues
2System Access Controls(Ascertain the appropriateness of system authentication controls and user provisioning to social media tools.)(Determine if access controls are assigned commensurate with job responsibilities.)YYGGNo issues
3Content Change Controls(Ascertain the appropriateness of the processes to create, modify, approve and publish social media content.)(Ascertain the processes to detect and identify unauthorized social media content.)GGGNo issues
4Monitoring of Brand(Ascertain the processes to review social media sites for awareness of non-corporate social media usage affecting the Company.)(Ascertain the escalation processes for any potential issues based on a set of pre-determined procedures.)GGGNo issues
4No issues
Asset Servicing Core Apps
Control Point / Audit Procedure20122013Comments for Current Quarter
Q1Q2Q3Q4Q1
Continuous Audit RatingNo issues
1Logical Access Controls and MonitoringVerify that passwords are configured in line with policy and remain compliant during the year, user authentication to the application complies with the Companys policy, logs exist which support the identification of security events in line with the criticality of the application.GYGGGNo issues
2Segregation of DutiesVerify that privileged accounts are documented, and have a clear ownership, IT developers have no access to production, Super Access is limited to appropriate individuals and duplicate/inactive user accounts are disabled/removed to prevent access misuse.GYGGGNo issues
3Application StabilityAvailability reports are maintained and actively monitored against business expectations or vendor SLAs, application incidents are monitored, escalated and resolved as appropriate (including involvement of third party vendor support)GGGGGNo issues
4Application Change ManagementVerify that application changes follow the standard corporate processes, i.e. Harvest or Endevor. Where the corporate process is not followed, changes are managed following controls which provide the same level of assurance.GGGGGNo issues
Control Point / Audit Procedure
Qtr 1, 2011
Qtr 2, 2011
Qtr 3, 2011
Qtr 4, 2011
Comments for Current Quarter
1
Authentication Controls
(Verify that active user accounts belong to current employees or contractors.)
(Review access to key operating system libraries/files.)
G
No issues
2
Prevention of improper modifications: Protection of system resources
(Verify that key security settings are established in accordance with standards.)
(Review controls implemented through key RACF, Top Secret and ACF2 files.)
G
G
G
G
No issues
3
Monitoring: Detection of improper access
(Assess the process for reviewing logs.)
(Verify that activity of highly privileged accounts is reviewed.)
Y
Y
R
R
Q3/2011: Powerful system permissions in the UNISYS computing environment are not effectively controlled and monitored. (High Priority)
4
Provisioning
(Assess the process for granting and revoking user access to operating systems and applications.)
G
G
G
G
No issues
5
Recertifying
(Assess the process for recertifying user access.)
G
No issues
Audit Rating
Q3/2011: 1 High Priority issue
Control Point / Audit Procedure
Qtr 1,
2011
Qtr 2,
2011
Qtr 3,
2011
Qtr 4,
2011
Comments for Current Quarter
1
Authentication Controls
(Verify that active user accounts belong to current
employees or contractors.)
(Review access to key operating system libraries/files.)
G No issues
2
Prevention of improper modifications: Protection of system
resources
(Verify that key security settings are established in
accordance with standards.)
(Review controls implemented through key RACF, Top
Secret and ACF2 files.)
G G G G No issues
3
Monitoring: Detection of improper access
(Assess the process for reviewing logs.)
(Verify that activity of highly privileged accounts is
reviewed.)
Y Y R R
Q3/2011: Powerful system permissions in the
UNISYS computing environment are not
effectively controlled and monitored. (High
Priority)
4
Provisioning
(Assess the process for granting and revoking user access to
operating systems and applications.)
G G G G No issues
5
Recertifying
(Assess the process for recertifying user access.)
G No issues
Audit Rating
Q3/2011: 1 High Priority issue
Control Point / Audit Procedure
Qtr 1, 2011
Qtr 2, 2011
Qtr 3, 2011
Qtr 4, 2011
Comments for Current Quarter
1
Authentication Controls
(Verify that active user accounts belong to current employees or contractors.)
(Review access to key operating system libraries/files.)
Y
Y
Y
G
Q4/2011: Administrative access to firewalls is not periodically reviewed. (Low Priority)
2
Authorization Controls
(Review authorization levels of key accounts.)
R
R
R
R
Q3/2011: An excessive number of user accounts-30,337 specific accounts and 85,170 total accounts-have administrator access across the global Windows environment. (High Priority)
3
Prevention of improper modifications: Protection of system resources
(Verify that key security settings are set in accordance with standards.)
Protection of production UDT
(Verify UDT is adequately protected from improper modifications.)
Y
G
G
G
No issues
4
Monitoring: Detection of improper access
(Assess the process for reviewing logs.)
(Verify that activity of highly privileged accounts is reviewed.)
G
R
Q4/2011: Local account access management in the Windows environment is inappropriate. (Medium Priority)
Q4/2011: Access controls to BlueCoat servers are inappropriate. (Medium Priority)
Q4/2011: Administrators share a highly privileged account in the Federation Manager system. (Low Priority)
5
Provisioning
(Assess the process for granting and revoking user access to operating systems and applications.)
(Review the process for adding users to TACACS.)
G
G
G
Y
Q4/2011: Temporary access to OpenVMS accounts with elevated privileges is inadequate. (Medium Priority)
6
Recertifying
(Assess the process for recertifying user access.)
G
G
Y
Y
Q3/2011: Exceptions for obtaining write access to USB storage devices are not being recertified. (Medium Priority)
Audit Rating
Q3/2011: 1 High Priority issue, 1 Medium Priority issue
Q4/2011: 3 Medium Priority issues, 2 Low Priority issues
Control Point / Audit Procedure
Qtr 1,
2011
Qtr 2,
2011
Qtr 3,
2011
Qtr 4,
2011
Comments for Current Quarter
1
Authentication Controls
(Verify that active user accounts belong to current
employees or contractors.)
(Review access to key operating system libraries/files.)
Y Y Y G
Q4/2011: Administrative access to firewalls is
not periodically reviewed. (Low Priority)
2
Authorization Controls
(Review authorization levels of key accounts.)
R R R R
Q3/2011: An excessive number of user accounts -
30,337 specific accounts and 85,170 total
accounts-have administrator access across the
global Windows environment. (High Priority)
3
Prevention of improper modifications: Protection of system
resources
(Verify that key security settings are set in accordance with
standards.)
Protection of production UDT
(Verify UDT is adequately protected from improper
modifications.)
Y G G G No issues
4
Monitoring: Detection of improper access
(Assess the process for reviewing logs.)
(Verify that activity of highly privileged accounts is
reviewed.)
G R
Q4/2011: Local account access management in
the Windows environment is inappropriate.
(Medium Priority)
Q4/2011: Access controls to BlueCoat servers are
inappropriate. (Medium Priority)
Q4/2011: Administrators share a highly
privileged account in the Federation Manager
system. (Low Priority)
5
Provisioning
(Assess the process for granting and revoking user access to
operating systems and applications.)
(Review the process for adding users to TACACS.)
G G G Y
Q4/2011: Temporary access to OpenVMS
accounts with elevated privileges is inadequate.
(Medium Priority)
6
Recertifying
(Assess the process for recertifying user access.)
G G Y Y
Q3/2011: Exceptions for obtaining write access
to USB storage devices are not being recertified.
(Medium Priority)
Audit Rating
Q3/2011: 1 High Priority issue, 1 Medium
Priority issue
Q4/2011: 3 Medium Priority issues, 2 Low
Priority issues
Control Point / Audit Procedure
Qtr 1, 2011
Qtr 2, 2011
Qtr 3, 2011
Qtr 4, 2011
Comments for Current Quarter
Authentication Controls
(Verify that administrative accounts for Remedy belong to current employees or contractors.)
(Verify that administrative accounts for SCCB belong to current employees and/or contractors that have a business need for the access.)
G
G
G
G
No issues
Authorization Controls: Segregation of Duties
(Level of access that developers have in Harvest and production.)
(Level of access that Harvest Administrators have in the production environment.)
(Separate development and production environments.)
G
G
G
Y
Q4/2011: An IT developer has unrestricted access to a Pershing UK production server. (Medium Priority)
Application Change Control Process
(Confirm that application changes are authorized.)
(Verify that emergency changes to applications comply with standards.)
R
R
R
G
No issues
Network Device Change Process
(Confirm that changes to firewalls and routers are authorized.)
G
G
G
G
No issues
Database Change Process
(Confirm that changes to databases are authorized.)
G
No issues
Change Standards and Procedures
(Standards govern the change management process for the Windows, UNIX, VMS, and mainframe platforms, as well as their associated source code version control systems.)
(Standards govern ClearCase and Endevor)
G
No issues
Patch Management Process
(Confirm that security patches are evaluated and applied.)
Y
Y
R
R
Q3/2011: Technology governance over the administration and application of patches to the Companys computing infrastructure is ineffective. (High Priority)
Audit Rating
Q3/2011: 1 High Priority issue
Q4/2011: 1 Medium Priority issue
Control Point / Audit Procedure
Qtr 1,
2011
Qtr 2,
2011
Qtr 3,
2011
Qtr 4,
2011
Comments for Current Quarter
Authentication Controls
(Verify that administrative accounts for Remedy belong to
current employees or contractors.)
(Verify that administrative accounts for SCCB belong to
current employees and/or contractors that have a
business need for the access.)
G G G G No issues
Authorization Controls: Segregation of Duties
(Level of access that developers have in Harvest and
production.)
(Level of access that Harvest Administrators have in the
production environment.)
(Separate development and production environments.)
G G G Y
Q4/2011: An IT developer has unrestricted
access to a Pershing UK production server.
(Medium Priority)
Application Change Control Process
(Confirm that application changes are authorized.)
(Verify that emergency changes to applications comply with
standards.)
R R R G No issues
Network Device Change Process
(Confirm that changes to firewalls and routers are
authorized.)
G G G G No issues
Database Change Process
(Confirm that changes to databases are authorized.)
G No issues
Change Standards and Procedures
(Standards govern the change management process for the
Windows, UNIX, VMS, and mainframe platforms, as well
as their associated source code version control systems.)
(Standards govern ClearCase and Endevor)
G No issues
Patch Management Process
(Confirm that security patches are evaluated and applied.)
Y Y R R
Q3/2011: Technology governance over the
administration and application of patches to the
Companys computing infrastructure is
ineffective. (High Priority)
Audit Rating
Q3/2011: 1 High Priority issue
Q4/2011: 1 Medium Priority issue
Control Point / Audit Procedure
Qtr 1, 2011
Qtr 2, 2011
Qtr 3, 2011
Qtr 4, 2011
Comments for Current Quarter
1
Network Device Configurations
(Ensure that the templates used for establishing and checking configuration parameters accord with policy and established practices.)
(Review results of management's periodic process for confirming compliance with the templates and correcting differences.)
(Confirm that configuration parameters match the templates.)
G
G
G
G
No issues
2
Operating system parameters
(Verify that key operating system libraries/files point to the appropriate start-up version.)
(Ensure that purpose of all start-up parameters are documented.)
(Review documentation on duplicated key operating system members appearing in different libraries.)
(Verify that group policy parameters are set securely.)
G
G
G
R
Q4/2011: Critical configurations in the Windows environment are inappropriate. (High Priority)
3
System Configuration
(Verify that logging is enabled.)
(Verify that password settings are established in accordance with standards.)
(Verify that key security settings are established in accordance with standards.)
G
G
R
R
Q3/2011: A critical setting in the UNIX environment is set to allow unrestricted system access to several production servers. (High Priority)
Q4/2011: UNIX servers do not have anti-virus so