The Changing Technology Landscape Changing Technology Landscape: ... Each member firm is a separate legal entity. ... as water shapes itself to the vessel that contains it. PwC

The Changing Technology Landscape:

Moving to Internal Audit 2.0

www.pwc.com

PwC

Raising internal audits game

This publication has been prepared to support an Oral presentation and is for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.

2016 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC refers to the United States member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.

http://www.pwc.com/structure

PwC

The technology landscape is changing faster than ever before

Leadership

Clarity

Drive Value

Trusted Advisor

Expectations

Cybersecurity & privacy risk

Digital disruption

Theft of customer data and intellectual propertyOrganized crime activityGlobal ecosystem

Business & technology transformation

Big data

Regulatory pressure

SocialMobileBlockchainCloud

Consumerization of ITEvolving business modelsMassive transformation of applications and infrastructure

Complex regulatory environmentIncreased pressure and audits

Increased transaction volumesData qualityData governance & management

Key trends

Higher expectations from executive management and boards

Provide value-added services and proactive strategic advice to the business

Need to clearly articulate full suite of IT internal audit solutions

Opportunities to grow, innovate, and drive quality

What this means for Internal Technology Audit

Differentiation

Organic and inorganic growth through specialization

PwC

What this means for our Internal Audit

Greater focus on quality and driving value and impact from investment in internal audit

3

PwC

Continuous Auditing

PwC

What is Continuous Monitoring (CM) and Continuous Auditing (CA)?

5

Continuous Monitoring

Automated continuous monitoring of relevant internal and external events and their outcomes to ensure that business processes, systems and controls are operating as prescribed. CM feedback can be used for continuous auditing or trigger an on-demand audit.

Continuous Auditing

Continuous auditing is collection of audit evidence by an auditor related to business processes and controls on continuous basis based on which auditor can provide a continuous or on-demand opinion on state of business process or control in question.

Institute of Internal Auditors defines continuous audit as a means to issue an audit report simultaneously or immediately after the event in question.

PwC

Data Analytics Applying analytics to an existing audit program will not usually

produce efficiencies and can in fact minimize, if not eliminate, the benefit of the tool

Analytics tools should be just one part of a comprehensive audit automation strategy

This strategy should be linked to a risk based audit approach and part of a start from scratch mentality in terms of universe and entity definition

The actual tools and methods employed should be determined by the risks identified and the goals of each audit

6

PwC

How Audit Automation changes the model..

7

Data Discovery and

Presentation

Gaining effective insight through advances in visualization capabilities

(Audit by sight)

Agile AnalyticsAlternative modeling and analytic techniques that can tackle audit objectives in hours instead of weeks

Unstructured Data

Integration

Emerging methods to collect, organize, structure and search massive amounts of data not found in traditional databases

Enhanced Audit

Management

Collaborative project management technology integrated into Audit Planning, Execution , and Reporting

Build a Learning Organization

Increased Risk Coverage

Manage Risk / Return

Insight in Real -time or Right-time

Efficient Audit cycle time

PwC

Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4

Logical Access (Mainfram e)

ACF2 G G G G G G G G G G G G G

RACF Y Y G G G G G G G G G G G

Top Secret Security G G G G G G G G G G G G G

Application Security Database Sy stem G G G G G G G G G G G G G

MVS and Mainframe Software G G R R G G G G G G G G G

Enterprise Database Management Sy stems G G G G G G G G G G G G G

Data Security Administration - Pershing G G G G G G G G G G G G G

Data Security Administration G G G G G G G G G G G G G

Logical Access (Distributed)

Windows/Activ e Directory R R R R R R R R R R Y Y G

OpenVMS G G G Y G G G G G G G G G

Unix and Linux Operating Sy stems G G G G G G G G G G G Y Y

Network Security & Administration G G G Y G G G G G G G G G

Enterprise Database Management Sy stems Y Y Y G G G G G G G G G G

Data Security Administration G G G G G G G G G Y G R R

Global Change Managem ent

Centralized Y Y Y Y Y Y R R G Y Y Y Y

Decentralized G G G G G Y Y Y G

Global Configuration Managem ent

Mainframe G G G G G G G G G G G G G

Distributed G G R R R R Y Y Y R R R R

Network G G G Y G G G G G G G G G

Global Sy stem Operations No issues

Global Project Managem ent

Software Dev elopment Lifecy cle (SDLC) G G Y Y Y Y

Infrastructure Dev elopment Lifecy cle (IDLC) Y Y G G G G

Pershing Project Lifecy cle (PPLC) Y Y G G G G

Global Data Interchange Q1 /201 4: 1 High Priority issue

Prim ary Data Centers - USA Q1 /201 4: 1 Low Priority issue

Global Network Security No issues

Cy ber Security Q2/201 3: 2 High Priority issues

Global Business Continuity No issues

Service Provider Managem ent Office No issues

Social Media No issues

2013

Q2/201 3: 1 High Priority issue, 1 Medium Priority issueQ4/201 3: 1 Medium Priority issue

Risk and Compliance

Q3/201 3: 1 High Priority issueQ1 /201 4: 1 Medium Priority issue

Comments for Current Quarter

Information TechnologyNo issues

Q4/201 3: 1 High Priority issue, 1 Medium Priority issueQ1 /201 4: 1 Medium Priority issue, 1 Low Priority issue [Fully Remediated]

Continuous Audit / Component

Q3/201 3: 2 Medium Priority issues

Marketing & Corporate Affairs

2012 20142011

Summary dashboards would present the results of all detailed dashboards and provide an excellent means for assessing the state of IT

Sample reporting dashboard

8

Cathy's Version

Continuous Audit / ComponentQtr 1, 20102011201220132014Comments for Current Quarter

Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4

Information Technology

Logical Access (Mainframe) No issues

ACF2GGGGGGGGGGGGG

RACFYYGGGGGGGGGGG

Top Secret SecurityGGGGGGGGGGGGG

Application Security Database SystemGGGGGGGGGGGGG

MVS and Mainframe SoftwareGGRRGGGGGGGGG

Enterprise Database Management SystemsGGGGGGGGGGGGG

Data Security Administration - PershingGGGGGGGGGGGGG

Data Security AdministrationGGGGGGGGGGGGG

Logical Access (Distributed) Q4/2013: 1 High Priority issue, 1 Medium Priority issueQ1/2014: 1 Medium Priority issue, 1 Low Priority issue [Fully Remediated]

Windows/Active DirectoryRRRRRRRRRRRYYG

OpenVMSGGGYGGGGGGGGG

Unix and Linux Operating SystemsGGGGGGGGGGGYY

Network Security & AdministrationGGGYGGGGGGGGG

Enterprise Database Management SystemsYYYGGGGGGGGGG

Data Security AdministrationGGGGGGGGGYGRR

Global Change Management Q3/2013: 1 High Priority issueQ1/2014: 1 Medium Priority issue

CentralizedYYYYYYRRGYYYY

DecentralizedGGGGGYYYG

Global Configuration Management Q2/2013: 1 High Priority issue, 1 Medium Priority issueQ4/2013: 1 Medium Priority issue

MainframeGGGGGGGGGGGGG

Distributed GGRRRRYYYRRRR

NetworkGGGYGGGGGGGGG

Global System Operations No issues

Global Project ManagementQ3/2013: 2 Medium Priority issues

Software Development Lifecycle (SDLC)GGYYYY

Infrastructure Development Lifecycle (IDLC)YYGGGG

Pershing Project Lifecycle (PPLC)YYGGGG

Global Data InterchangeQ1/2014: 1 High Priority issue

Primary Data Centers - USAQ1/2014: 1 Low Priority issue


Cyber SecurityQ2/2013: 2 High Priority issues

Risk and Compliance


Service Provider Management OfficeNo issues


Social MediaNo issues

Logical Access (MF)

Control Point / Audit Procedure2011201220132014Comments for Current Quarter

Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Issue Track Cheat Sheet

Continuous Audit RatingNo issues

1Authentication Controls(Verify that active user accounts belong to current employees or contractors.)(Review access to key operating system libraries/files.)GGGGGGGGGGNo issues

2Prevention of improper modifications: Protection of system resources(Verify that key security settings are established in accordance with standards.)(Review controls implemented through key RACF, Top Secret and ACF2 files.)GGGGGGGGGGGGGNo issues

3Monitoring: Detection of improper access(Assess the process for reviewing logs.)(Verify that activity of highly privileged accounts is reviewed.)YYRRGGGGGGGGGNo issuesExpected Completion Date: 03/19/2012Auditor: Amit Dhasmana/CorpUK/BNYMellon11TETC9913 Logical Access (Mainframe) Q3Q3/2011: Powerful system permissions in the UNISYS computing environment are not effectively controlled and monitored. (High Priority)

4No issues

4Provisioning(Assess the process for granting and revoking user access to operating systems and applications.)GGGGGGGGGGGGGNo issuesClosed by Nassos on 3/20

5Recertifying(Assess the process for recertifying user access.)GGGGGGGGGGNo issues

Word pic size is "Reset"

Logical Access (Dist)



Continuous Audit RatingQ4/2013: 1 High Priority issue, 1 Medium Priority issueQ1/2014: 1 Medium Priority issue, 1 Low Priority issue [Fully Remediated]

1Authentication Controls(Verify that active user accounts belong to current employees or contractors.)(Review access to key operating system libraries/files.)YYYGGGGGGGGGGNo issues

2Authorization Controls(Review authorization levels of key accounts.)RRRRRRRRRRYYYQ4/2013: The UNIX server support model employed by Pershing requires a large number of users to be assigned root access. (Medium Priority)

3Prevention of improper modifications: Protection of system resources(Verify that key security settings are set in accordance with standards.)Protection of production UDTs(Verify UDTs are adequately protected from improper modifications.)YYRGGGGGGGGRRQ4/2013: A significant number of employees can amend the account details of approved payment files prior to their final submission to BACS for disbursement. (High Priority)

Q1/2014: Unique VMS Operating System User Identification Codes are inappropriately assigned. (Low Priority) [Closed]Expected Completion Date: 03/19/2012Auditor: Amit Dhasmana/CorpUK/BNYMellon11TETC9913 Logical Access (Mainframe) Q3Q3/2011: Powerful system permissions in the UNISYS computing environment are not effectively controlled and monitored. (High Priority)

4No issues



4Monitoring: Detection of improper access(Assess the process for reviewing logs.)(Verify that activity of highly privileged accounts is reviewed.)GRYYYGGGGGGNo issuesClosed by Nassos on 3/20

5Provisioning(Assess the process for granting and revoking user access to operating systems and applications.)GGGYGGGGGYGGYQ1/2014: Role Based Access Control (RBAC) usage within the Company needs improvement. (Medium Priority)

6Recertifying(Assess the process for recertifying user access.)GGYYGGGGGGGGGNo issues


ChgMgt



Continuous Audit RatingQ3/2013: 1 High Priority issueQ1/2014: 1 Medium Priority issue

1Authentication Controls(Verify that administrative accounts for Remedy belong to current employees or contractors.)(Verify that administrative accounts for SCCB belong to current employees and/or contractors that have a business need for the access.)GGGGGGGGGGGGGNo issues

2Authorization Controls: Segregation of Duties(Level of access that developers have in Harvest and production.)(Level of access that Harvest Administrators have in the production environment.)(Separate development and production environments.)GGGYGGGGGGGGGNo issues

3Application Change Control Process(Application changes follow the standard corporate processes i.e. Harvest or Endevor.)(Verify that emergency changes to applications comply with standards.)RRRGGGGGGRRRGNo issuesExpected Completion Date: 03/19/2012Auditor: Amit Dhasmana/CorpUK/BNYMellon11TETC9913 Logical Access (Mainframe) Q3Q3/2011: Powerful system permissions in the UNISYS computing environment are not effectively controlled and monitored. (High Priority)

4No issues

4Network Device Change Process(Confirm that changes to firewalls and routers are authorized.)GGGGGGGGGGRRRQ3/2013: The tracking system used to validate firewall and router device changes was not capturing all change activity. (High Priority)Closed by Nassos on 3/20



5Database Change Process(Confirm that changes to databases are authorized.)GGGGGGGGGGNo issues

6Change Standards and Procedures(Standards govern the change management process for the Windows, UNIX, VMS, and mainframe platforms, as well as their associated source code version control systems.)(Standards govern ClearCase and Endevor.)GGGGGGRGGYQ1/2014: Risk Control Self-Assessments are incomplete, outdated or missing. (Medium Priority)

7Patch Management Process(Confirm that security patches are evaluated and applied.)YYRRRRRRGGGGGNo issues


ConfigMgt



Continuous Audit RatingQ2/2013: 1 High Priority issue, 1 Medium Priority issueQ4/2013: 1 Medium Priority issue

1Network Device Configurations(Ensure that the templates used for establishing and checking configuration parameters accord with policy and established practices.)(Review results of management's periodic process for confirming compliance with the templates and correcting differences.)(Confirm that configuration parameters match the templates.)GGGGGGGGGGGGGNo issues

2Operating system parameters(Verify that key operating system libraries/files point to the appropriate start-up version.)(Ensure that purpose of all start-up parameters are documented.)(Review documentation on duplicated key operating system members appearing in different libraries.)(Verify that group policy parameters are set securely.)GGGRYYYGGGGGGNo issues

3System Configuration(Verify that logging is enabled.)(Verify that password settings are established in accordance with standards.)(Verify that key security settings are established in accordance with standards.)GGRRRYYGYRRRRQ2/2013: Inadeqaute access controls exist for a large number of share drives throughout the Company. (High Priority)Expected Completion Date: 03/19/2012Auditor: Amit Dhasmana/CorpUK/BNYMellon11TETC9913 Logical Access (Mainframe) Q3Q3/2011: Powerful system permissions in the UNISYS computing environment are not effectively controlled and monitored. (High Priority)

4No issues



4Network Design and Controls(Ensure that network design includes security elements such as IDS/IPS and firewalls in appropriate locations.)(Review firewall rules that govern access.)(Review design and implementation of remote access (VPN) including dual factor authentication and encryption.)(Review design and implementation of wireless entry points including authentication and encryption mechanisms.)YGGGGGGGYYQ4/2013: The process for verifying and maintaining internet firewall configuration is not adequately formalized. (Medium Priority)Closed by Nassos on 3/20

5Database Configuration(Verify that logging is enabled.)(Verify that security settings are established in accordance with standards.)GGGGGGYYGYYYYQ2/2013: Governance over database password complexity enforcement is inappropriate. (Medium Priority)

6Configuration Standards and Procedures(Review standards that govern the configuration of operating systems, security software, databases, and network devices.)GGGGGGGGGGNo issues

7Protection of Workstations(Assess the coverage state of antivirus software.)GGGGYGGGGGNo issues


SysOps




1Authentication Controls(Verify that administrative accounts for the scheduling software belong to current employees or contractors.)(Verify that administrative accounts for the backup software belong to current employees or contractors.)GGGGGGGGGGGGGNo issues

2Back-up Controls(Verify that back-ups are scheduled and successfully executed.)GGGYGGGGGGGGGNo issues

3Incident management processes(Verify that Remedy tickets were closed timely and indicate that the incident was appropriately resolved.)GGGGGGGGGGGGGNo issuesExpected Completion Date: 03/19/2012Auditor: Amit Dhasmana/CorpUK/BNYMellon11TETC9913 Logical Access (Mainframe) Q3Q3/2011: Powerful system permissions in the UNISYS computing environment are not effectively controlled and monitored. (High Priority)

4No issues

4Scheduling Controls(Confirm that changes to schedules are approved.)GGGGGGGGGGNo issuesClosed by Nassos on 3/20


Proj Mgt



Continuous Audit RatingQ3/2013: 2 Medium Priority issues

1Project Governance(Determine how projects are selected, and prioritized, and aligned with Corporate strategy. Review associated policies and procedures.)YGGGNo issues

2Project Framework Definition(Analyze the frameworks(s) in place across the organization and their compliance with industry standards - FFIEC, ITIL, CobiT.)YYYQ3/2013: Lessons learned considerations during planning, and business resource hours are not included as requirements within the System Development Lifecycle (SDLC) Framework. (Medium Priority)

3Project Management(Assess the compliance of Project Management to defined project frameworks, and the quality of delivery.)YYYYYGNo issues

4Project Engagement(Assess the adequacy of stakeholder engagement during projects, to include internal and external communication strategies.)YYGYYYQ3/2013: Support groups are not engaged during project initiation. (Medium Priority)

GDI



Continuous Audit RatingQ1/2014: 1 High Priority issue

1Policies and Procedures(Verify that applicable policies and procedures for the data transmissions are in place and reflect the current environment.)GYYYGNo issues

2Encryption Protocols(Assess the process to protect data transmissions to and from external parties.)GGGNo issues

3Authentication Controls(Determine that external data transmissions received are verified as originating from a known source.)GGGNo issues

4Authorization Controls(Determine that access to data transmission systems are assigned commensurate with job functionality.)GGRQ1/2014: Application support personnel are assigned a powerful SWIFT Alliance Access application profile. (High Priority)

5Monitoring(Confirm that data transmissions are monitored with unsuccessful transmissions of data being recorded and resolved.)GGGNo issues

6Transmission Setup Requests(Verify that request systems and approval workflows exist for the setup or modification of data transmissions.)GGGNo issues

4No issues

Primary Data Centers USA



Continuous Audit RatingQ1/2014: 1 Low Priority issue

1Access Recertification(Assess the process to recertify physical access to the primary data centers.)(Verify the physical access modifications resulting from the recertification were performed in a timely fashion.)GYGGYQ1/2014: An approved request to remove one individuals access to the TPC tape operations room was not executed in a timely manner. (Low Priority)

2Physical Access(Determine that physical access to the primary data centers are assigned commensurate with job functionality.)(Assess the process to authorize individuals physical access to the primary data centers.)(Assess the process to revoke physical access to the primary data centers for those individuals who no longer require access.)GGGNo issues

3Environmental Controls(Assess the preventative maintenance process for environmental control systems including: fire prevention/detection, temperature/humidity, uninterruptible power supply and generator systems.)GGGNo issues

4IT Hardware Asset Management(Assess the process to maintain a comprehensive listing of computing resources maintained within the primary data centers.)GGGNo issues

4No issues

NetworkSec




1Security Incidents(Incidents contain adequate documentation.)(Incidents are investigated and tracked to resolution.)GGGGGGGGGGGGGNo issues

2Polices and Procedures(Assess the adequacy of applicable polices and procedures surrounding global network security.)(Assess segregation of duties between installation and deployment functions to that of reporting and monitoring functions.)GGGGGGGNo issues

3Protection of Internal Network(Assess the process for implementing Intrusion Detection Systems.)(Assess the process for implementing Intrusion Prevention Systems.)YYYYYGGGGGNo issues

4Monitoring(Evaluate the process to monitor, escelate, investigate and resolve intusive network activites.)GGGGGGGGNo issues

5Reporting(Evaluate management reporting practices pertaining to security incidents and suspicious network activity.)GGGGGGGGNo issues

4No issues


CyberSec



Continuous Audit RatingQ2/2013: 2 High Priority issues

1Cyber Security Governance and Reporting(Review adequacy of information security organizational structure and reporting line for sufficient authority.)GGGGRRRRQ2/2013: Employees in international locations are using unapproved and informal translation applications. (High Priority)

2Cyber Security Exercises (Review vulnerability scans/assessments to determine follow through.)(Review of remote access controls.)GGRRRRQ2/2013: Controls to prevent the transfer of Company data to external devices can be bypassed. (High Priority)

3Simulated Hack of Network and Applications(Run independent application security scans / ethical hacks into selective networks and applications.) GGGGGGGGGNo issues

4Signals Intelligence(Wireless security scans / ethical hacks into selective mobile devices.) GGGGGGNo issues

5Web Behavioral Analytics(Email phishing through spoofed email)(Monitoring of network traffic to analyze web behavior)RGGGNo issues

6Operating System Vulnerability Scans(Run security scans / ethical hacks into selective images of Operating Systems.) GGGGGGNo issues

7Web Application Vulnerability Scans(Run back / front door advanced persistent attacks [APTs].) GYYYGNo issues

4

5

6

7

BusinessContinuity


Q2Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Issue Track Cheat Sheet


1BCP/DR Requirements Definition, IT Strategy, Plan Development & Implementation(Analyze the overall structure for defining requirements through implementation.)GGGGGGGGGGNo issues

2BCP Plan Review(Analyze BCP plans for comprehensiveness and effective testing and remediation.)GGGGGGGGGGGGGNo issues

3BCP/DR Governance(Review GCP policy and Board and Senior Management oversight.)GGGGGGGGGGGGGGNo issues

4BCP/DR Reporting(Monitor BRC weekly calls)GGGGGGGGGGGGGNo issues

5BCP/DR Exercises (Plan, Execution, Results)(Confirm that recovery exercises have been conducted with appropriate documentation and follow-up.)(Confirm that applications have been tested annually with appropriate documentation and follow-up.)(Confirm that aplications have been tested according to scheduled requirements with appropriate documentation and follow-up.)GYGGGGGGGGGNo issuesExpected Completion Date: 03/19/2012Auditor: Amit Dhasmana/CorpUK/BNYMellon11TETC9913 Logical Access (Mainframe) Q3Q3/2011: Powerful system permissions in the UNISYS computing environment are not effectively controlled and monitored. (High Priority)

4No issues


SPMO




1Administration/Organization(Analyze the organizational framework in place within IRM that handles the service provider management program.)GGGGGGGNo issues

2Training (Ensure training is available to LOB personnel.)GGGGGGNo issues

3Standard Tools(Security of systems/tools in place used to maintain SPM information.)GGGGGGNo issues

4Service Provider Program Documentation(Completeness and accuracy of compiled data and Attestation Process.)GGGGGGNo issues

5Individual Service Provider Documentation(SPM database contains current information relating to individual SPs deemed important.)GGGGGGNo issues

6Site Visits(Procedures and processes to conduct site visits for service providers.)GGGGGGNo issues

7Oversight, Support and Escalation Related to Service Providers(Follow-through of Responsibilities, Notification and Escalation, Review of Service Provider Management Reports)GGGGGGGGGNo issues

4

5

6

7

Social Media




1Governance(Determine if policies and procedures regarding social media are up to date and reflect current conditions.)(Assess established governance structure for appropriate representation and adequacy.)GGGGGGNo issues

2System Access Controls(Ascertain the appropriateness of system authentication controls and user provisioning to social media tools.)(Determine if access controls are assigned commensurate with job responsibilities.)YYGGNo issues

3Content Change Controls(Ascertain the appropriateness of the processes to create, modify, approve and publish social media content.)(Ascertain the processes to detect and identify unauthorized social media content.)GGGNo issues

4Monitoring of Brand(Ascertain the processes to review social media sites for awareness of non-corporate social media usage affecting the Company.)(Ascertain the escalation processes for any potential issues based on a set of pre-determined procedures.)GGGNo issues

4No issues

Asset Servicing Core Apps


Q1Q2Q3Q4Q1


1Logical Access Controls and MonitoringVerify that passwords are configured in line with policy and remain compliant during the year, user authentication to the application complies with the Companys policy, logs exist which support the identification of security events in line with the criticality of the application.GYGGGNo issues

2Segregation of DutiesVerify that privileged accounts are documented, and have a clear ownership, IT developers have no access to production, Super Access is limited to appropriate individuals and duplicate/inactive user accounts are disabled/removed to prevent access misuse.GYGGGNo issues

3Application StabilityAvailability reports are maintained and actively monitored against business expectations or vendor SLAs, application incidents are monitored, escalated and resolved as appropriate (including involvement of third party vendor support)GGGGGNo issues

4Application Change ManagementVerify that application changes follow the standard corporate processes, i.e. Harvest or Endevor. Where the corporate process is not followed, changes are managed following controls which provide the same level of assurance.GGGGGNo issues

Control Point / Audit Procedure

Qtr 1, 2011

Qtr 2, 2011

Qtr 3, 2011

Qtr 4, 2011


1

Authentication Controls

(Verify that active user accounts belong to current employees or contractors.)

(Review access to key operating system libraries/files.)

G

No issues

2

Prevention of improper modifications: Protection of system resources

(Verify that key security settings are established in accordance with standards.)

(Review controls implemented through key RACF, Top Secret and ACF2 files.)

G

G

G

G

No issues

3

Monitoring: Detection of improper access

(Assess the process for reviewing logs.)

(Verify that activity of highly privileged accounts is reviewed.)

Y

Y

R

R

Q3/2011: Powerful system permissions in the UNISYS computing environment are not effectively controlled and monitored. (High Priority)

4

Provisioning

(Assess the process for granting and revoking user access to operating systems and applications.)

G

G

G

G

No issues

5

Recertifying

(Assess the process for recertifying user access.)

G

No issues

Audit Rating

Q3/2011: 1 High Priority issue


Qtr 1,

2011

Qtr 2,

2011

Qtr 3,

2011

Qtr 4,

2011


1


(Verify that active user accounts belong to current

employees or contractors.)


G No issues

2

Prevention of improper modifications: Protection of system

resources

(Verify that key security settings are established in

accordance with standards.)

(Review controls implemented through key RACF, Top

Secret and ACF2 files.)

G G G G No issues

3



(Verify that activity of highly privileged accounts is

reviewed.)

Y Y R R

Q3/2011: Powerful system permissions in the

UNISYS computing environment are not

effectively controlled and monitored. (High

Priority)

4

Provisioning

(Assess the process for granting and revoking user access to

operating systems and applications.)

G G G G No issues

5

Recertifying


G No issues

Audit Rating



Qtr 1, 2011

Qtr 2, 2011

Qtr 3, 2011

Qtr 4, 2011


1




Y

Y

Y

G

Q4/2011: Administrative access to firewalls is not periodically reviewed. (Low Priority)

2

Authorization Controls

(Review authorization levels of key accounts.)

R

R

R

R

Q3/2011: An excessive number of user accounts-30,337 specific accounts and 85,170 total accounts-have administrator access across the global Windows environment. (High Priority)

3


(Verify that key security settings are set in accordance with standards.)

Protection of production UDT

(Verify UDT is adequately protected from improper modifications.)

Y

G

G

G

No issues

4




G

R

Q4/2011: Local account access management in the Windows environment is inappropriate. (Medium Priority)

Q4/2011: Access controls to BlueCoat servers are inappropriate. (Medium Priority)

Q4/2011: Administrators share a highly privileged account in the Federation Manager system. (Low Priority)

5

Provisioning


(Review the process for adding users to TACACS.)

G

G

G

Y

Q4/2011: Temporary access to OpenVMS accounts with elevated privileges is inadequate. (Medium Priority)

6

Recertifying


G

G

Y

Y

Q3/2011: Exceptions for obtaining write access to USB storage devices are not being recertified. (Medium Priority)

Audit Rating

Q3/2011: 1 High Priority issue, 1 Medium Priority issue

Q4/2011: 3 Medium Priority issues, 2 Low Priority issues


Qtr 1,

2011

Qtr 2,

2011

Qtr 3,

2011

Qtr 4,

2011


1





Y Y Y G

Q4/2011: Administrative access to firewalls is

not periodically reviewed. (Low Priority)

2



R R R R

Q3/2011: An excessive number of user accounts -

30,337 specific accounts and 85,170 total

accounts-have administrator access across the

global Windows environment. (High Priority)

3


resources

(Verify that key security settings are set in accordance with

standards.)


(Verify UDT is adequately protected from improper

modifications.)

Y G G G No issues

4




reviewed.)

G R

Q4/2011: Local account access management in

the Windows environment is inappropriate.

(Medium Priority)

Q4/2011: Access controls to BlueCoat servers are

inappropriate. (Medium Priority)

Q4/2011: Administrators share a highly

privileged account in the Federation Manager

system. (Low Priority)

5

Provisioning




G G G Y

Q4/2011: Temporary access to OpenVMS

accounts with elevated privileges is inadequate.

(Medium Priority)

6

Recertifying


G G Y Y

Q3/2011: Exceptions for obtaining write access

to USB storage devices are not being recertified.

(Medium Priority)

Audit Rating

Q3/2011: 1 High Priority issue, 1 Medium

Priority issue

Q4/2011: 3 Medium Priority issues, 2 Low

Priority issues


Qtr 1, 2011

Qtr 2, 2011

Qtr 3, 2011

Qtr 4, 2011



(Verify that administrative accounts for Remedy belong to current employees or contractors.)

(Verify that administrative accounts for SCCB belong to current employees and/or contractors that have a business need for the access.)

G

G

G

G

No issues

Authorization Controls: Segregation of Duties

(Level of access that developers have in Harvest and production.)

(Level of access that Harvest Administrators have in the production environment.)

(Separate development and production environments.)

G

G

G

Y

Q4/2011: An IT developer has unrestricted access to a Pershing UK production server. (Medium Priority)

Application Change Control Process

(Confirm that application changes are authorized.)

(Verify that emergency changes to applications comply with standards.)

R

R

R

G

No issues

Network Device Change Process

(Confirm that changes to firewalls and routers are authorized.)

G

G

G

G

No issues

Database Change Process

(Confirm that changes to databases are authorized.)

G

No issues

Change Standards and Procedures

(Standards govern the change management process for the Windows, UNIX, VMS, and mainframe platforms, as well as their associated source code version control systems.)

(Standards govern ClearCase and Endevor)

G

No issues

Patch Management Process

(Confirm that security patches are evaluated and applied.)

Y

Y

R

R

Q3/2011: Technology governance over the administration and application of patches to the Companys computing infrastructure is ineffective. (High Priority)

Audit Rating


Q4/2011: 1 Medium Priority issue


Qtr 1,

2011

Qtr 2,

2011

Qtr 3,

2011

Qtr 4,

2011



(Verify that administrative accounts for Remedy belong to

current employees or contractors.)

(Verify that administrative accounts for SCCB belong to

current employees and/or contractors that have a

business need for the access.)

G G G G No issues


(Level of access that developers have in Harvest and

production.)

(Level of access that Harvest Administrators have in the

production environment.)


G G G Y

Q4/2011: An IT developer has unrestricted

access to a Pershing UK production server.

(Medium Priority)



(Verify that emergency changes to applications comply with

standards.)

R R R G No issues


(Confirm that changes to firewalls and routers are

authorized.)

G G G G No issues



G No issues


(Standards govern the change management process for the

Windows, UNIX, VMS, and mainframe platforms, as well

as their associated source code version control systems.)


G No issues



Y Y R R

Q3/2011: Technology governance over the

administration and application of patches to the

Companys computing infrastructure is

ineffective. (High Priority)

Audit Rating




Qtr 1, 2011

Qtr 2, 2011

Qtr 3, 2011

Qtr 4, 2011


1

Network Device Configurations

(Ensure that the templates used for establishing and checking configuration parameters accord with policy and established practices.)

(Review results of management's periodic process for confirming compliance with the templates and correcting differences.)

(Confirm that configuration parameters match the templates.)

G

G

G

G

No issues

2

Operating system parameters

(Verify that key operating system libraries/files point to the appropriate start-up version.)

(Ensure that purpose of all start-up parameters are documented.)

(Review documentation on duplicated key operating system members appearing in different libraries.)

(Verify that group policy parameters are set securely.)

G

G

G

R

Q4/2011: Critical configurations in the Windows environment are inappropriate. (High Priority)

3

System Configuration

(Verify that logging is enabled.)

(Verify that password settings are established in accordance with standards.)


G

G

R

R

Q3/2011: A critical setting in the UNIX environment is set to allow unrestricted system access to several production servers. (High Priority)

Q4/2011: UNIX servers do not have anti-virus software installed and are not being scanned for vulnerabilities. (High Priority)

Q4/2011: UNIX servers password parameters are not configured appropriately. (Medium Priority)

4

Network Design and Controls

(Ensure that network design includes security elements such as IDS/IPS and firewalls in appropriate locations.)

(Review firewall rules that govern access.)

(Review design and implementation of remote access (VPN) including dual factor authentication and encryption.)

(Review design and implementation of wireless entry points including authentication and encryption mechanisms.)

Y

Q4/2011: Firewalls are not configured appropriately. (Medium Priority)

5

Database Configuration


(Verify that security settings are established in accordance with standards.)

G

G

G

G

No issues

6

Configuration Standards and Procedures

(Review standards that govern the configuration of operating systems, security software, databases, and network devices.)

G

Q2/2011: Database security standards are outdated, inconsistent across heritage database platforms, and not aligned with the Corporate Authentication Policy [self-identified]. (Low Priority)

Audit Rating

Q2/2011: 1 Low Priority issue


Q4/2011: 2 High Priority issues, 2 Medium Priority issues


Qtr 1,

2011

Qtr 2,

2011

Qtr 3,

2011

Qtr 4,

2011


1


(Ensure that the templates used for establishing and

checking configuration parameters accord with policy

and established practices.)

(Review results of management's periodic process for

confirming compliance with the templates and correcting

differences.)

(Confirm that configuration paramet ers match the

templates.)

G G G G No issues

2


(Verify that key operating system libraries/files point to the

appropriate start-up version.)

(Ensure that purpose of all start -up parameters are

documented.)

(Review documentation on duplicated key operating system

members appearing in different libraries.)


G G G R

Q4/2011: Critical configurations in the Windows

environment are inappropriate. (High Priority)

3



(Verify that password settings are established in accordance

with standards.)



G G R R

Q3/2011: A critical setting in the UNIX

environment is set to allow unrestricted system

access to several production servers. (High

Priority)

Q4/2011: UNIX servers do not have anti -virus

software installed and are not being scanned for

vulnerabilities. (High Priority)

Q4/2011: UNIX servers password parameters

are not configured appropriately. (Medium

Priority)


Qtr 1, 2011

Qtr 2, 2011

Qtr 3, 2011

Qtr 4, 2011


1


(Verify that administrative accounts for the scheduling software belong to current employees or contractors.)

(Verify that administrative accounts for the backup software belong to current employees or contractors.)

G

G

G

G

No issues

2

Back-up Controls

(Verify that back-ups are scheduled and successfully executed.)

G

G

G

Y

Q4/2011: Back-up tapes with Highly Confidential Information are not protected from unauthorized removal from the data centers in which they reside. (Low Priority)

3

Incident management processes

(Verify that Remedy tickets were closed timely and indicate that the incident was appropriately resolved.)

G

G

G

G

No issues

4

Scheduling Controls

(Confirm that changes to schedules are approved.)

G

No issues

Audit Rating



Qtr 1,

2011

Qtr 2,

2011

Qtr 3,

2011

Qtr 4,

2011


1


(Verify that administrative accounts for the scheduling

software belong to current employees or contractors.)

(Verify that administrative accounts for the backup

software belong to current employees or contractors.)

G G G G No issues

2

Back-up Controls

(Verify that back-ups are scheduled and successfully

executed.)

G G G Y

Q4/2011: Back-up tapes with Highly

Confidential Information are not protected from

unauthorized removal from the data centers in

which they reside. (Low Priority)

3

Incident management processes

(Verify that Remedy tickets were closed timely and indicate

that the incident was appropriately resolved.)

G G G G No issues

4

Scheduling Controls

(Confirm that changes to schedules are approved.)

G No issues

Audit Rating



Qtr 1, 2011

Qtr 2, 2011

Qtr 3, 2011

Qtr 4, 2011


1

Security Incidents

(Incidents contain adequate documentation.)

(Incidents are investigated and tracked to resolution.)

G

G

G

G

No issues

2

Protection of Internal Network

(Assess the process for implementing Intrusion Detection Systems.)

(Assess the process for implementing Intrusion Prevention Systems.)

Y

Q4/2011: Four Internet gateways do not have forensic software installed. (Medium Priority)

Q4/2011: BlueCoat logs are not encrypted when they are sent to ArchSight. (Low Priority)

3

Protection of Workstations

(Assess the coverage state of antivirus software.)

G

No issues

Audit Rating

Q4/2011: 1 Medium Priority issue, 1 Low Priority issue


Qtr 1,

2011

Qtr 2,

2011

Qtr 3,

2011

Qtr 4,

2011


1

Security Incidents

(Incidents contain adequate documentation.)

(Incidents are investigated and tracked to resolution.)

G G G G No issues

2

Protection of Internal Network

(Assess the process for implementing Intrusion Detection

Systems.)

(Assess the process for implementing Intrusion Prevention

Systems.)

Y

Q4/2011: Four Internet gateways do not have

forensic software installed. (Medium Priority)

Q4/2011: BlueCoat logs are not encrypted when

they are sent to ArchSight. (Low Priority)

3

Protection of Workstations

(Assess the coverage state of antivirus software.)

G No issues

Audit Rating

Q4/2011: 1 Medium Priority issue, 1 Low

Priority issue


Qtr 1, 2011

Qtr 2, 2011

Qtr 3, 2011

Qtr 4, 2011


1

BCP/DR Requirements Definition, IT Strategy, Plan Development & Implementation

(Analyze the overall structure for defining requirements through implementation.)

G

No issues

2

BCP/DR Governance and Reporting

(Review reports describing test results and corrective steps to be taken.)

G

G

G

G

No issues

3

BCP/DR Exercises (Plan, Execution, Results)

(Confirm that all applications have been tested according to scheduled requirements.)

Y

Y

Q4/2011: NTAS application successful recovery cannot be demonstrated. (Medium Priority)

Q4/2011: The disaster recovery test results in Asia do not always represent the achieved recovery times. (Medium Priority)

Overall Audit Procedure Rating

Q4/2011: 2 Medium Priority issues


Qtr 1,

2011

Qtr 2,

2011

Qtr 3,

2011

Qtr 4,

2011


1

BCP/DR Requirements Definition, IT Strategy, Plan

Development & Implementation

(Analyze the overall structure for defining requirements

through implementation.)

G No issues

2

BCP/DR Governance and Reporting

(Review reports describing test results and corrective steps

to be taken.)

G G G G No issues

3

BCP/DR Exercises (Plan, Execution, Results)

(Confirm that all applications have been tested according

to scheduled requirements.)

Y Y

Q4/2011: NTAS application successful recovery

cannot be demonstrated. (Medium Priority)

Q4/2011: The disaster recovery test results in

Asia do not always represent the achieved

recovery times. (Medium Priority)

Overall Audit Procedure Rating

Q4/2011: 2 Medium Priority issues

Cathy's Version

Continuous Audit / ComponentQtr 1, 20102011201220132014Comments for Current Quarter


Information Technology

Logical Access (Mainframe) No issues

ACF2GGGGGGGGGGGGG

RACFYYGGGGGGGGGGG

Top Secret SecurityGGGGGGGGGGGGG

Application Security Database SystemGGGGGGGGGGGGG

MVS and Mainframe SoftwareGGRRGGGGGGGGG

Enterprise Database Management SystemsGGGGGGGGGGGGG

Data Security Administration - PershingGGGGGGGGGGGGG

Data Security AdministrationGGGGGGGGGGGGG

Logical Access (Distributed) Q4/2013: 1 High Priority issue, 1 Medium Priority issue

Windows/Active DirectoryRRRRRRRRRRRYYG

OpenVMSGGGYGGGGGGGGG

Unix and Linux Operating SystemsGGGGGGGGGGGYY

Network Security & AdministrationGGGYGGGGGGGGG

Enterprise Database Management SystemsYYYGGGGGGGGGG

Data Security AdministrationGGGGGGGGGYGRR

Global Change Management Q3/2013: 1 High Priority issueQ1/2014: 1 Medium Priority issue

CentralizedYYYYYYRRGYYYY

DecentralizedGGGGGYYYG

Global Configuration Management Q2/2013: 1 High Priority issue, 1 Medium Priority issueQ4/2013: 1 Medium Priority issue

MainframeGGGGGGGGGGGGG

Distributed GGRRRRYYYRRRR

NetworkGGGYGGGGGGGGG

Global System Operations No issues

Global Project ManagementQ3/2013: 2 Medium Priority issues

Software Development Lifecycle (SDLC)GGYYYY

Infrastructure Development Lifecycle (IDLC)YYGGGG

Pershing Project Lifecycle (PPLC)YYGGGG

Global Data InterchangeNo issues

Primary Data Centers - USAQ1/2014: 1 Low Priority issue


Cyber SecurityQ2/2013: 2 High Priority issues

Risk and Compliance


Service Provider Management OfficeNo issues


Social MediaNo issues

Logical Access (MF)




1Authentication Controls(Verify that active user accounts belong to current employees or contractors.)(Review access to key operating system libraries/files.)GGGGGGGGGGNo issues

2Prevention of improper modifications: Protection of system resources(Verify that key security settings are established in accordance with standards.)(Review controls implemented through key RACF, Top Secret and ACF2 files.)GGGGGGGGGGGGGNo issues

3Monitoring: Detection of improper access(Assess the process for reviewing logs.)(Verify that activity of highly privileged accounts is reviewed.)YYRRGGGGGGGGGNo issuesExpected Completion Date: 03/19/2012Auditor: Amit Dhasmana/CorpUK/BNYMellon11TETC9913 Logical Access (Mainframe) Q3Q3/2011: Powerful system permissions in the UNISYS computing environment are not effectively controlled and monitored. (High Priority)

4No issues

4Provisioning(Assess the process for granting and revoking user access to operating systems and applications.)GGGGGGGGGGGGGNo issuesClosed by Nassos on 3/20

5Recertifying(Assess the process for recertifying user access.)GGGGGGGGGGNo issues


Logical Access (Dist)



Continuous Audit RatingQ4/2013: 1 High Priority issue, 1 Medium Priority issue

1Authentication Controls(Verify that active user accounts belong to current employees or contractors.)(Review access to key operating system libraries/files.)YYYGGGGGGGGGGNo issues

2Authorization Controls(Review authorization levels of key accounts.)RRRRRRRRRRYYYQ4/2013: The UNIX server support model employed by Pershing requires a large number of users to be assigned root access. (Medium Priority)

3Prevention of improper modifications: Protection of system resources(Verify that key security settings are set in accordance with standards.)Protection of production UDTs(Verify UDTs are adequately protected from improper modifications.)YYRGGGGGGGGRRQ4/2013: A significant number of employees can amend the account details of approved payment files prior to their final submission to BACS for disbursement. (High Priority)Expected Completion Date: 03/19/2012Auditor: Amit Dhasmana/CorpUK/BNYMellon11TETC9913 Logical Access (Mainframe) Q3Q3/2011: Powerful system permissions in the UNISYS computing environment are not effectively controlled and monitored. (High Priority)

4No issues



4Monitoring: Detection of improper access(Assess the process for reviewing logs.)(Verify that activity of highly privileged accounts is reviewed.)GRYYYGGGGGGNo issuesClosed by Nassos on 3/20

5Provisioning(Assess the process for granting and revoking user access to operating systems and applications.)GGGYGGGGGYGGGNo issues

6Recertifying(Assess the process for recertifying user access.)GGYYGGGGGGGGGNo issues


ChgMgt



Continuous Audit RatingQ3/2013: 1 High Priority issueQ1/2014: 1 Medium Priority issue

1Authentication Controls(Verify that administrative accounts for Remedy belong to current employees or contractors.)(Verify that administrative accounts for SCCB belong to current employees and/or contractors that have a business need for the access.)GGGGGGGGGGGGGNo issues

2Authorization Controls: Segregation of Duties(Level of access that developers have in Harvest and production.)(Level of access that Harvest Administrators have in the production environment.)(Separate development and production environments.)GGGYGGGGGGGGGNo issues

3Application Change Control Process(Application changes follow the standard corporate processes i.e. Harvest or Endevor.)(Verify that emergency changes to applications comply with standards.)RRRGGGGGGRRRGNo issuesExpected Completion Date: 03/19/2012Auditor: Amit Dhasmana/CorpUK/BNYMellon11TETC9913 Logical Access (Mainframe) Q3Q3/2011: Powerful system permissions in the UNISYS computing environment are not effectively controlled and monitored. (High Priority)

4No issues

4Network Device Change Process(Confirm that changes to firewalls and routers are authorized.)GGGGGGGGGGRRRQ3/2013: The tracking system used to validate firewall and router device changes was not capturing all change activity. (High Priority)Closed by Nassos on 3/20



5Database Change Process(Confirm that changes to databases are authorized.)GGGGGGGGGGNo issues

6Change Standards and Procedures(Standards govern the change management process for the Windows, UNIX, VMS, and mainframe platforms, as well as their associated source code version control systems.)(Standards govern ClearCase and Endevor.)GGGGGGRGGYQ1/2014: Risk Control Self-Assessments are incomplete, outdated or missing. (Medium Priority)

7Patch Management Process(Confirm that security patches are evaluated and applied.)YYRRRRRRGGGGGNo issues


ConfigMgt



Continuous Audit RatingQ2/2013: 1 High Priority issue, 1 Medium Priority issueQ4/2013: 1 Medium Priority issue

1Network Device Configurations(Ensure that the templates used for establishing and checking configuration parameters accord with policy and established practices.)(Review results of management's periodic process for confirming compliance with the templates and correcting differences.)(Confirm that configuration parameters match the templates.)GGGGGGGGGGGGGNo issues

2Operating system parameters(Verify that key operating system libraries/files point to the appropriate start-up version.)(Ensure that purpose of all start-up parameters are documented.)(Review documentation on duplicated key operating system members appearing in different libraries.)(Verify that group policy parameters are set securely.)GGGRYYYGGGGGGNo issues

3System Configuration(Verify that logging is enabled.)(Verify that password settings are established in accordance with standards.)(Verify that key security settings are established in accordance with standards.)GGRRRYYGYRRRRQ2/2013: Inadeqaute access controls exist for a large number of share drives throughout the Company. (High Priority)Expected Completion Date: 03/19/2012Auditor: Amit Dhasmana/CorpUK/BNYMellon11TETC9913 Logical Access (Mainframe) Q3Q3/2011: Powerful system permissions in the UNISYS computing environment are not effectively controlled and monitored. (High Priority)

4No issues



4Network Design and Controls(Ensure that network design includes security elements such as IDS/IPS and firewalls in appropriate locations.)(Review firewall rules that govern access.)(Review design and implementation of remote access (VPN) including dual factor authentication and encryption.)(Review design and implementation of wireless entry points including authentication and encryption mechanisms.)YGGGGGGGYYQ4/2013: The process for verifying and maintaining internet firewall configuration is not adequately formalized. (Medium Priority)Closed by Nassos on 3/20

5Database Configuration(Verify that logging is enabled.)(Verify that security settings are established in accordance with standards.)GGGGGGYYGYYYYQ2/2013: Governance over database password complexity enforcement is inappropriate. (Medium Priority)

6Configuration Standards and Procedures(Review standards that govern the configuration of operating systems, security software, databases, and network devices.)GGGGGGGGGGNo issues

7Protection of Workstations(Assess the coverage state of antivirus software.)GGGGYGGGGGNo issues


SysOps




1Authentication Controls(Verify that administrative accounts for the scheduling software belong to current employees or contractors.)(Verify that administrative accounts for the backup software belong to current employees or contractors.)GGGGGGGGGGGGGNo issues

2Back-up Controls(Verify that back-ups are scheduled and successfully executed.)GGGYGGGGGGGGGNo issues

3Incident management processes(Verify that Remedy tickets were closed timely and indicate that the incident was appropriately resolved.)GGGGGGGGGGGGGNo issuesExpected Completion Date: 03/19/2012Auditor: Amit Dhasmana/CorpUK/BNYMellon11TETC9913 Logical Access (Mainframe) Q3Q3/2011: Powerful system permissions in the UNISYS computing environment are not effectively controlled and monitored. (High Priority)

4No issues

4Scheduling Controls(Confirm that changes to schedules are approved.)GGGGGGGGGGNo issuesClosed by Nassos on 3/20


Proj Mgt



Continuous Audit RatingQ3/2013: 2 Medium Priority issues

1Project Governance(Determine how projects are selected, and prioritized, and aligned with Corporate strategy. Review associated policies and procedures.)YGGGNo issues

2Project Framework Definition(Analyze the frameworks(s) in place across the organization and their compliance with industry standards - FFIEC, ITIL, CobiT.)YYYQ3/2013: Lessons learned considerations during planning, and business resource hours are not included as requirements within the System Development Lifecycle (SDLC) Framework. (Medium Priority)

3Project Management(Assess the compliance of Project Management to defined project frameworks, and the quality of delivery.)YYYYYGNo issues

4Project Engagement(Assess the adequacy of stakeholder engagement during projects, to include internal and external communication strategies.)YYGYYYQ3/2013: Support groups are not engaged during project initiation. (Medium Priority)

GDI




1Policies and Procedures(Verify that applicable policies and procedures for the data transmissions are in place and reflect the current environment.)GYYYGNo issues

2Encryption Protocols(Assess the process to protect data transmissions to and from external parties.)GGGNo issues

3Authentication Controls(Determine that external data transmissions received are verified as originating from a known source.)GGGNo issues

4Authorization Controls(Determine that access to data transmission systems are assigned commensurate with job functionality.)GGGNo issues

5Monitoring(Confirm that data transmissions are monitored with unsuccessful transmissions of data being recorded and resolved.)GGGNo issues

6Transmission Setup Requests(Verify that request systems and approval workflows exist for the setup or modification of data transmissions.)GGGNo issues

4No issues

Primary Data Centers USA



Continuous Audit RatingQ1/2014: 1 Low Priority issue

1Access Recertification(Assess the process to recertify physical access to the primary data centers.)(Verify the physical access modifications resulting from the recertification were performed in a timely fashion.)GYGGGQ1/2014: An approved request to remove one individuals access to the TPC tape operations room was not executed in a timely manner. (Low Priority)

2Physical Access(Determine that physical access to the primary data centers are assigned commensurate with job functionality.)(Assess the process to authorize individuals physical access to the primary data centers.)(Assess the process to revoke physical access to the primary data centers for those individuals who no longer require access.)GGGNo issues

3Environmental Controls(Assess the preventative maintenance process for environmental control systems including: fire prevention/detection, temperature/humidity, uninterruptible power supply and generator systems.)GGGNo issues

4IT Hardware Asset Management(Assess the process to maintain a comprehensive listing of computing resources maintained within the primary data centers.)GGGNo issues

4No issues

NetworkSec




1Security Incidents(Incidents contain adequate documentation.)(Incidents are investigated and tracked to resolution.)GGGGGGGGGGGGGNo issues

2Polices and Procedures(Assess the adequacy of applicable polices and procedures surrounding global network security.)(Assess segregation of duties between installation and deployment functions to that of reporting and monitoring functions.)GGGGGGGNo issues

3Protection of Internal Network(Assess the process for implementing Intrusion Detection Systems.)(Assess the process for implementing Intrusion Prevention Systems.)YYYYYGGGGGNo issues

4Monitoring(Evaluate the process to monitor, escelate, investigate and resolve intusive network activites.)GGGGGGGGNo issues

5Reporting(Evaluate management reporting practices pertaining to security incidents and suspicious network activity.)GGGGGGGGNo issues

4No issues


CyberSec



Continuous Audit RatingQ2/2013: 2 High Priority issues

1Cyber Security Governance and Reporting(Review adequacy of information security organizational structure and reporting line for sufficient authority.)GGGGRRRRQ2/2013: Employees in international locations are using unapproved and informal translation applications. (High Priority)

2Cyber Security Exercises (Review vulnerability scans/assessments to determine follow through.)(Review of remote access controls.)GGRRRRQ2/2013: Controls to prevent the transfer of Company data to external devices can be bypassed. (High Priority)

3Simulated Hack of Network and Applications(Run independent application security scans / ethical hacks into selective networks and applications.) GGGGGGGGGNo issues

4Signals Intelligence(Wireless security scans / ethical hacks into selective mobile devices.) GGGGGGNo issues

5Web Behavioral Analytics(Email phishing through spoofed email)(Monitoring of network traffic to analyze web behavior)RGGGNo issues

6Operating System Vulnerability Scans(Run security scans / ethical hacks into selective images of Operating Systems.) GGGGGGNo issues

7Web Application Vulnerability Scans(Run back / front door advanced persistent attacks [APTs].) GYYYGNo issues

4

5

6

7

BusinessContinuity


Q2Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Issue Track Cheat Sheet


1BCP/DR Requirements Definition, IT Strategy, Plan Development & Implementation(Analyze the overall structure for defining requirements through implementation.)GGGGGGGGGGNo issues

2BCP Plan Review(Analyze BCP plans for comprehensiveness and effective testing and remediation.)GGGGGGGGGGGGGNo issues

3BCP/DR Governance(Review GCP policy and Board and Senior Management oversight.)GGGGGGGGGGGGGGNo issues

4BCP/DR Reporting(Monitor BRC weekly calls)GGGGGGGGGGGGGNo issues

5BCP/DR Exercises (Plan, Execution, Results)(Confirm that recovery exercises have been conducted with appropriate documentation and follow-up.)(Confirm that applications have been tested annually with appropriate documentation and follow-up.)(Confirm that aplications have been tested according to scheduled requirements with appropriate documentation and follow-up.)GYGGGGGGGGGNo issuesExpected Completion Date: 03/19/2012Auditor: Amit Dhasmana/CorpUK/BNYMellon11TETC9913 Logical Access (Mainframe) Q3Q3/2011: Powerful system permissions in the UNISYS computing environment are not effectively controlled and monitored. (High Priority)

4No issues


SPMO




1Administration/Organization(Analyze the organizational framework in place within IRM that handles the service provider management program.)GGGGGGGNo issues

2Training (Ensure training is available to LOB personnel.)GGGGGGNo issues

3Standard Tools(Security of systems/tools in place used to maintain SPM information.)GGGGGGNo issues

4Service Provider Program Documentation(Completeness and accuracy of compiled data and Attestation Process.)GGGGGGNo issues

5Individual Service Provider Documentation(SPM database contains current information relating to individual SPs deemed important.)GGGGGGNo issues

6Site Visits(Procedures and processes to conduct site visits for service providers.)GGGGGGNo issues

7Oversight, Support and Escalation Related to Service Providers(Follow-through of Responsibilities, Notification and Escalation, Review of Service Provider Management Reports)GGGGGGGGGNo issues

4

5

6

7

Social Media




1Governance(Determine if policies and procedures regarding social media are up to date and reflect current conditions.)(Assess established governance structure for appropriate representation and adequacy.)GGGGGGNo issues

2System Access Controls(Ascertain the appropriateness of system authentication controls and user provisioning to social media tools.)(Determine if access controls are assigned commensurate with job responsibilities.)YYGGNo issues

3Content Change Controls(Ascertain the appropriateness of the processes to create, modify, approve and publish social media content.)(Ascertain the processes to detect and identify unauthorized social media content.)GGGNo issues

4Monitoring of Brand(Ascertain the processes to review social media sites for awareness of non-corporate social media usage affecting the Company.)(Ascertain the escalation processes for any potential issues based on a set of pre-determined procedures.)GGGNo issues

4No issues

Asset Servicing Core Apps


Q1Q2Q3Q4Q1


1Logical Access Controls and MonitoringVerify that passwords are configured in line with policy and remain compliant during the year, user authentication to the application complies with the Companys policy, logs exist which support the identification of security events in line with the criticality of the application.GYGGGNo issues

2Segregation of DutiesVerify that privileged accounts are documented, and have a clear ownership, IT developers have no access to production, Super Access is limited to appropriate individuals and duplicate/inactive user accounts are disabled/removed to prevent access misuse.GYGGGNo issues

3Application StabilityAvailability reports are maintained and actively monitored against business expectations or vendor SLAs, application incidents are monitored, escalated and resolved as appropriate (including involvement of third party vendor support)GGGGGNo issues

4Application Change ManagementVerify that application changes follow the standard corporate processes, i.e. Harvest or Endevor. Where the corporate process is not followed, changes are managed following controls which provide the same level of assurance.GGGGGNo issues


Qtr 1, 2011

Qtr 2, 2011

Qtr 3, 2011

Qtr 4, 2011


1




G

No issues

2



(Review controls implemented through key RACF, Top Secret and ACF2 files.)

G

G

G

G

No issues

3




Y

Y

R

R

Q3/2011: Powerful system permissions in the UNISYS computing environment are not effectively controlled and monitored. (High Priority)

4

Provisioning


G

G

G

G

No issues

5

Recertifying


G

No issues

Audit Rating



Qtr 1,

2011

Qtr 2,

2011

Qtr 3,

2011

Qtr 4,

2011


1





G No issues

2


resources



(Review controls implemented through key RACF, Top

Secret and ACF2 files.)

G G G G No issues

3




reviewed.)

Y Y R R

Q3/2011: Powerful system permissions in the

UNISYS computing environment are not

effectively controlled and monitored. (High

Priority)

4

Provisioning



G G G G No issues

5

Recertifying


G No issues

Audit Rating



Qtr 1, 2011

Qtr 2, 2011

Qtr 3, 2011

Qtr 4, 2011


1




Y

Y

Y

G

Q4/2011: Administrative access to firewalls is not periodically reviewed. (Low Priority)

2



R

R

R

R

Q3/2011: An excessive number of user accounts-30,337 specific accounts and 85,170 total accounts-have administrator access across the global Windows environment. (High Priority)

3


(Verify that key security settings are set in accordance with standards.)


(Verify UDT is adequately protected from improper modifications.)

Y

G

G

G

No issues

4




G

R

Q4/2011: Local account access management in the Windows environment is inappropriate. (Medium Priority)

Q4/2011: Access controls to BlueCoat servers are inappropriate. (Medium Priority)

Q4/2011: Administrators share a highly privileged account in the Federation Manager system. (Low Priority)

5

Provisioning



G

G

G

Y

Q4/2011: Temporary access to OpenVMS accounts with elevated privileges is inadequate. (Medium Priority)

6

Recertifying


G

G

Y

Y

Q3/2011: Exceptions for obtaining write access to USB storage devices are not being recertified. (Medium Priority)

Audit Rating

Q3/2011: 1 High Priority issue, 1 Medium Priority issue

Q4/2011: 3 Medium Priority issues, 2 Low Priority issues


Qtr 1,

2011

Qtr 2,

2011

Qtr 3,

2011

Qtr 4,

2011


1





Y Y Y G

Q4/2011: Administrative access to firewalls is

not periodically reviewed. (Low Priority)

2



R R R R

Q3/2011: An excessive number of user accounts -

30,337 specific accounts and 85,170 total

accounts-have administrator access across the

global Windows environment. (High Priority)

3


resources

(Verify that key security settings are set in accordance with

standards.)


(Verify UDT is adequately protected from improper

modifications.)

Y G G G No issues

4




reviewed.)

G R

Q4/2011: Local account access management in

the Windows environment is inappropriate.

(Medium Priority)

Q4/2011: Access controls to BlueCoat servers are

inappropriate. (Medium Priority)

Q4/2011: Administrators share a highly

privileged account in the Federation Manager

system. (Low Priority)

5

Provisioning




G G G Y

Q4/2011: Temporary access to OpenVMS

accounts with elevated privileges is inadequate.

(Medium Priority)

6

Recertifying


G G Y Y

Q3/2011: Exceptions for obtaining write access

to USB storage devices are not being recertified.

(Medium Priority)

Audit Rating

Q3/2011: 1 High Priority issue, 1 Medium

Priority issue

Q4/2011: 3 Medium Priority issues, 2 Low

Priority issues


Qtr 1, 2011

Qtr 2, 2011

Qtr 3, 2011

Qtr 4, 2011



(Verify that administrative accounts for Remedy belong to current employees or contractors.)

(Verify that administrative accounts for SCCB belong to current employees and/or contractors that have a business need for the access.)

G

G

G

G

No issues


(Level of access that developers have in Harvest and production.)

(Level of access that Harvest Administrators have in the production environment.)


G

G

G

Y

Q4/2011: An IT developer has unrestricted access to a Pershing UK production server. (Medium Priority)



(Verify that emergency changes to applications comply with standards.)

R

R

R

G

No issues


(Confirm that changes to firewalls and routers are authorized.)

G

G

G

G

No issues



G

No issues


(Standards govern the change management process for the Windows, UNIX, VMS, and mainframe platforms, as well as their associated source code version control systems.)


G

No issues



Y

Y

R

R

Q3/2011: Technology governance over the administration and application of patches to the Companys computing infrastructure is ineffective. (High Priority)

Audit Rating




Qtr 1,

2011

Qtr 2,

2011

Qtr 3,

2011

Qtr 4,

2011



(Verify that administrative accounts for Remedy belong to

current employees or contractors.)

(Verify that administrative accounts for SCCB belong to

current employees and/or contractors that have a

business need for the access.)

G G G G No issues


(Level of access that developers have in Harvest and

production.)

(Level of access that Harvest Administrators have in the

production environment.)


G G G Y

Q4/2011: An IT developer has unrestricted

access to a Pershing UK production server.

(Medium Priority)



(Verify that emergency changes to applications comply with

standards.)

R R R G No issues


(Confirm that changes to firewalls and routers are

authorized.)

G G G G No issues



G No issues


(Standards govern the change management process for the

Windows, UNIX, VMS, and mainframe platforms, as well

as their associated source code version control systems.)


G No issues



Y Y R R

Q3/2011: Technology governance over the

administration and application of patches to the

Companys computing infrastructure is

ineffective. (High Priority)

Audit Rating




Qtr 1, 2011

Qtr 2, 2011

Qtr 3, 2011

Qtr 4, 2011


1


(Ensure that the templates used for establishing and checking configuration parameters accord with policy and established practices.)

(Review results of management's periodic process for confirming compliance with the templates and correcting differences.)

(Confirm that configuration parameters match the templates.)

G

G

G

G

No issues

2


(Verify that key operating system libraries/files point to the appropriate start-up version.)

(Ensure that purpose of all start-up parameters are documented.)

(Review documentation on duplicated key operating system members appearing in different libraries.)


G

G

G

R

Q4/2011: Critical configurations in the Windows environment are inappropriate. (High Priority)

3



(Verify that password settings are established in accordance with standards.)


G

G

R

R

Q3/2011: A critical setting in the UNIX environment is set to allow unrestricted system access to several production servers. (High Priority)

Q4/2011: UNIX servers do not have anti-virus so

Documents

The Changing Technology Landscape Changing Technology Landscape: ... Each member firm is a separate legal entity. ... as water shapes itself to the vessel that contains it. PwC