Use the Access Control questionnaire from ASU below. Does the document include e

Question

Use the Access Control questionnaire from ASU below. Does the document include everything? Are there questions you would add? Take the survey using your own company or a company you frequent. Can you answer all the questions? What suggestions would you have for the questionnaire writer? Discuss your findings in a single document.

This assignment should be at least one page long (double spaced, APA format where applicable).

IT - General Controls Questionnaire

Internal Control Questionnaire

Question

Yes

No

N/A

Remarks

G1. ACCESS CONTROLS

Access controls are comprised of those policies and procedures that are designed to allow usage of data processing assets only in accordance with management’s authorization. Protection of these assets consists of both physical and logical access controls that prevent or detect unauthorized use, damage, loss, or modifications. The data processing resources to be protected include the system software, application programs and tables, transaction detail and history files, databases, documentation, hardware, and tape or cartridge libraries. Access to these resources should be limited to those individuals authorized to process or maintain a particular system.

PHYSICAL SECURITY

1. Does the university maintain written procedures relating to controls over the physical security of the computer equipment?

2.    Is the physical location of the computer/server/storage/training rooms appropriate to ensure security?

3.    *Are physical access devices (i.e., card-key or combination lock systems) used to restrict entrance to the computer room?

4.    Obtain documentation listing all individuals with access to the computer room.

a. Are only those with a legitimate need included?

b. Are terminated or transferred employees' access codes cancelled in a timely manner?

5.    Does the university have any policies for temporary access by employees, visitors, or outside vendors? (e.g., are these individuals escorted during their activities, or are ID badges or sign-in logs used?)

Question

Yes

No

N/A

Remarks

6.     Does the university utilize monitoring software linked to the physical access device to electronically monitor computer room entrances?

a. Are access reports generated?

b. Are these reports reviewed by appropriate IT management?

7.    Does the university use plate glass or other techniques (e.g., surveillance cameras) to visually monitor computer room access?

8.    Does the university utilize procedures and devices to secure sensitive equipment and storage media from the risk of environmental damage, such as:

a. Halon, CO2, or dry-piped water suppression systems?

b. Hand held fire extinguishers?

c. Smoke and heat sensors?

d. Water detectors and humidity controls?

e. Temperature controls and dedicated air conditioning units?

f. An uninterruptible power supply (UPS), diesel or gas generators, or power generators?

9.    For any other sensitive areas, are access controls to these areas adequate? Examples of sensitive areas (besides the computer room) would include communications closets, any UPS equipment, and tape libraries.

LOGICAL ACCESS

10. Does the university maintain written policies or procedures related to the security controls over access to the system?

11. *Does the university utilize various levels of security products (e.g., security software, application and database security)?

Question

Yes

No

N/A

Remarks

12. *Determine the types of controls that are in place over the issuance, maintenance, and termination of passwords. Do such controls include:

a. A security administrator designated to control password security?

b. Informing employees of proper password security through training or signed security statements?

c. Unique passwords?

d. Passwords changed on a periodic basis?

e. Passwords cancelled or access rights modified in a timely manner upon an employee's termination or transfer?

13. *Are reports generated by the system's security software?

a. Are these reports regularly reviewed by the security administrator?

b. Are procedures in place to follow up on these reports?

14. Is sensitive data protected by restricted access or other controls?

15. If student data is maintained on unit computers, is security over the data sufficient to ensure compliance with the Family Educational Right to Privacy Act (FERPA)?

G2. PROGRAM CHANGE CONTROLS

Program change control is the process of the programmer making changes to computer programs based upon requests from users or due to general computer maintenance requirements. The change process involves authorization and approval procedures, audit trail of the requests, program testing, segregation of duties and documentation of the process.

Question

Yes

No

N/A

Remarks

1.    Does the university maintain written procedures for controlling program changes through IT management and programming personnel?

2.    *Do program change authorization forms or screens prepared by the user (usually called a Request for Services) include:

a. Authorizations by user management before proposed program changes are made?

b. Testing program changes?

c. IT management and user personnel review and approval of testing methodology and test results?

3.    *Does the university use library control software or other controls to manage source programs and object programs, especially production programs?

4.    *Does the university have procedures for emergency program changes (or program files)?

G3. BACKUP AND RECOVERY CONTROLS

Backup and recovery controls are the provisions to provide reasonable assurance that an organization will be able to recover from loss or destruction of data processing facilities, hardware, software, or data. These continuation provisions include the retention of copies of data files and software, arrangements for access to backup hardware on short notice and tested recovery plans.

1.    *Are critical files and programs regularly copied to tapes or cartridges or other equivalent medium to establish a generation of files for audit trail purposes and removed to off-site storage to ensure availability in the event of a disaster?

2.    Is a periodic inventory taken to verify that the appropriate backup files are being maintained?

3.    Are controls in place at the off-site storage location to ensure that it is fireproof and secure?

Question

Yes

No

N/A

Remarks

DISASTER RECOVERY PLAN

4.    Does the university have a documented disaster recovery plan for processing critical jobs in the event of a major hardware or software failure?

a. Has the disaster recovery plan been updated on a regular basis?

b. Has the recovery plan been tested?

5.    Is the disaster recovery plan maintained off-site and updated when changes occur?

6.    Does the backup and recovery plan include the following:

a. Personnel assigned to disaster teams with operating procedures and emergency phone numbers to reach them?

b. Arrangements for a designated physical facility?

c. A risk analysis identifying the critical applications, their exposures, and an assessment of the impact on the entity?

d. Arrangements with vendors to support the needed hardware and software requirements?

e. Forms or other control documents to use in case of a disaster?

G4. SYSTEM DEVELOPMENT AND ACQUISITION

CONTROLS

Systems development is the process of creating new computerized applications in-house (i.e., within the organization). The development life cycle consists of several phases. Each phase has objectives, processes, products and reviews. The reviews provide a mechanism for determining at each phase whether user needs are being met and whether cost, control, and audit objectives are being achieved. Systems acquisition is the process of purchasing and implementing an

Question

Yes

No

N/A

Remarks

application that has been developed by a third-party software vendor. The effective implementation of purchased applications also requires the entity to adopt a formal methodology to control the process. This methodology closely resembles that of in-house developed systems

1.    Interview IT management to determine whether any new financial applications were either: 1.) developed in-house or acquired from a vendor or 2.) are being planned or investigated during the current audit period.

If no planning related to the development or acquisition of new financial systems was performed during the audit period, do not complete this control module.

2.    Did the university's procedures for developing new applications include:

a. System requirements analysis?

b. System specifications?

c. Technical design?

d. Technical procedure development?

e. User procedure development?

f. System and acceptance testing?

g. Transition?

3.    *Were user personnel involved in new systems development (acquisition), particularly during design, development, testing, and conversion?

4.    *Were audit and security concerns considered during the initial analysis phase? (If university has an internal audit staff, were internal auditors involved in new systems development (acquisition)?)

Question

Yes

No

N/A

Remarks

5.    Did IT management adequately document:

a. Systems documentation?

b. Program documentation?

c. Operations documentation?

d. Users documentation?

G5. COMPUTER OPERATIONS CONTROLS

Computer operations controls are designed to ensure that systems continue to function consistently, as planned. They include controls over the use of the correct data, programs, and other resources, and the proper performance of this function by operators, particularly when a problem occurs.

1.    Does the university maintain general operational documentation relating to the following procedures for which the operations staff are responsible?

a. System start-up procedures

b. Backup assignments

c. Emergency procedures

d. System shutdown procedures

e. Error message debugging instructions

f. System and job status reporting instructions

2.    Does the university maintain application-specific operational instructions including:

Question

Yes

No

N/A

Remarks

a. Definitions of input sources, input data, and data formats?

b. Descriptions of restart procedures and checkpoints?

c. Descriptions of data storage requirements?

d. Types of console message instructions?

e. Copies of system flowcharts?

3.    *Are operating logs maintained, retained and reviewed on an ongoing basis?

4.    Are workloads properly managed by using manual or automated processing schedules to ensure that all jobs are processed and that deadlines and priorities are considered?

G6. DATABASE CONTROLS

A database is a collection of related data organized in a manner intended to be accessed by multiple users for varied purposes. Database controls are designed to ensure that activities related to the security, integrity, accountability and recoverability of the database are controlled.

1.    Does the university have a Database Administrator (DBA)? Is the DBA responsible for managing the entity’s databases, including the following:

a. Design and implementation?

b. Monitoring and availability?

c. Integrity and security?

Question

Yes

No

N/A

Remarks

2.    *Are Database Management Systems (DBMS) security features used to protect data against unauthorized access or manipulation?

3.    *Are DBMS utilities and commands restricted to those responsible for the maintenance of the DBMS (usually a designated DBA)?

4.    *For change control procedures for the Data Dictionary and

DBMS:

a. Is proper authorization obtained prior to modification?

b. Are modifications tested?

c. Are modifications reviewed and approved?

d. Are changes documented?

5.    Is the database and its data backed-up on a regular basis, and are backups secured off-site?

Question

Yes

No

N/A

Remarks

G1. ACCESS CONTROLS

Access controls are comprised of those policies and procedures that are designed to allow usage of data processing assets only in accordance with management’s authorization. Protection of these assets consists of both physical and logical access controls that prevent or detect unauthorized use, damage, loss, or modifications. The data processing resources to be protected include the system software, application programs and tables, transaction detail and history files, databases, documentation, hardware, and tape or cartridge libraries. Access to these resources should be limited to those individuals authorized to process or maintain a particular system.

PHYSICAL SECURITY

1. Does the university maintain written procedures relating to controls over the physical security of the computer equipment?

2.    Is the physical location of the computer/server/storage/training rooms appropriate to ensure security?

3.    *Are physical access devices (i.e., card-key or combination lock systems) used to restrict entrance to the computer room?

4.    Obtain documentation listing all individuals with access to the computer room.

a. Are only those with a legitimate need included?

b. Are terminated or transferred employees' access codes cancelled in a timely manner?

5.    Does the university have any policies for temporary access by employees, visitors, or outside vendors? (e.g., are these individuals escorted during their activities, or are ID badges or sign-in logs used?)

Explanation / Answer

The solution is made keeping CMM level 5 company in consideration like IBM

ACCESS CONTROL

IBM has a detailed policies that are designed to allow usage of data processing assets only in accordance with management’s authorization. Protection of these assets consists of both physical and logical access controls that prevent or detect unauthorized use, damage, loss, or modifications.

PHYSICAL SECURITY

Does the university maintain written procedures relating to controls over the physical security of the computer equipment?

YES they have

Is the physical location of the computer/server/storage/training rooms appropriate to ensure security?

YES they have


Are physical access devices (i.e., card-key or combination lock systems) used to restrict entrance to the computer room?

YES they have


Obtain documentation listing all individuals with access to the computer room.

YES they have


Are only those with a legitimate need included?

YES they have


Are terminated or transferred employees' access codes cancelled in a timely manner?

YES they have

Does the university have any policies for temporary access by employees, visitors, or outside vendors? (e.g., are these individuals escorted during their activities, or are ID badges or sign-in logs used?)

YES they have

Related Questions

Navigate

• Browse (All)
• Browse U
• Subjects

---

---

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.