Name: Ryan Smith
Email: ryan7882003@yahoo.com
Initiation of change:
• All changes must initiate from a valid source. Sources include user, continued problems with system, etc.
• A Change Request Form or equivalent must be filled out at least containing these fields:
• Form Number,
• Description of Change Required,
• Reason for Change (Justification) and,
• Name and Position of Requester.
Risk Assessment:
• The severity of changes to the computer system should be addressed so that adequate notice can be given to all users and appropriate recovery procedures put in place, should a failure occur.
Priority:
• All changes should be assigned a priority that is agreed by the system and/or data owner.
• Only high priority (emergency) changes will be accepted with less than specified minimum notice period.
• System Owner Approval:
• Based on risk assessment, priority, and the cost of the change, system owners following consultation with the system users must approve the change before any further progress is made.
• All approvals must be made in appropriate forms and must contain:
• Form Number
• Risk Assessment and Backout Plans,
• Priority/ Criticality of Change (How badly do we need it),
• Costing,
• Target Date, and
• Name and Position of System Owner
• Testing of Changes:
• All changes must be appropriately tested before they production environment to reduce the risk of subsequent failure.
• All testing results must be fully documented.
are applied to the
• Testing results must have user acceptance and system owner signoff.
Implementation:
• Changes must only be implemented by appropriate personnel who must record the success or failure of the change.
• The implementation of the change into the production environment must be made by a person independent of the developer.
• The developer must not have access to the code while it is in test or prior to implementation.
• The implementation must be fully authorised by the system owner based on the results and success of the testing performed on the change. The authorisation should
be recorded.
• Documentation of Changes:
• Ensure that technical and user documentation exists.
• Verify that changes are applied to baseline documents, programs, database schemas and all other items that are affected by the change.
• All changes must be fully documented including user and technical documentation.
• Emergency Changes
• It is recognised that important changes will occasionally need to be made to the
system at short notice. Such changes may be implemented before being approved but must be thoroughly documented and retrospectively reviewed.
• Have formal procedures been defined and documented for user administration (adding, deleting and modifying user access)?
• Are system configurations documented?
• Who is responsible for:
• System configuration
• Security administration
• Data ownership
• Physical security
• Operating system maintenance
• Backup and recovery
• Do they understand their responsibilities and are they defined?
• Are users made aware of their IT security responsibilities during induction and updated regularly?
• What is covered during these sessions?
• How do you ensure that system configuration setting have not been changed in an unauthorized manner?
• How many security incidents have there been over the last 12 months?
• Have there been instances of non-compliance with security procedures in the last 12 months internally?
• Are security
• Incidents or events logged?
• Reviewed and followed up
• Brought to the attention of management
• Is there a security policy in place that complies with best practices ISO 17799? Review policy.
• Has consideration been given to thwart attacks from outside the organisation?
• Has management assessed the security risks within the IT environment and identified the information and IT assets it wants to protect?
• Are security roles and responsibilities explicitly stated in the job descriptions of those responsible?
• Do all users sign a confidentiality agreement?
• What procedures are in place to prevent internal attacks from legitimate systems users?
• Have the IT facilities been secured to prevent vandalism and sabotage?
• Do you have any direct external connections into your network? If so, how are they authenticated and their access restricted to what they should be seeing? Do they come in via the firewall? If not, why not?
• Are all external connections appropriately authorised and required?
• Do you have appropriate security arrangements documented a part of your contract with third parties that you exchange data with?
• Do you have a robust e-mail policy?
• Is there a firewall between your network and all external connections?
• Is there an Internet usage policy? Do you monitor staff Internet activity?
• How do you protect external data communications used for EDI and EFT?
• Do you have a domain structure in place? What is the rational behind the domain model used?
• Are all dial-up connections access requests appropriately authorised?
• How are dial-up users authenticated?
• How do you control connections used by external parties to provide remote support to your applications or systems?
• Do you encrypt your transmission to other networks or use other means of protecting your data form being sniffed?
• How are remote connections authenticated?
• How do you dispose of discarded IT equipment and data media?
• Are confidential documents identified and protected?
• How is systems documentation secured?
• How is
• The building housing the IT systems physically secured?
• The room housing the IT systems physically secured?
• removable media (tapes, disks ,etc) secured and protected?
• Has the network topology been documented?
• Are network changes and operating system related changes controlled by standard change control?
• What IT related operational documentation is in place?
• How is the timely completion of batches and the IT environment monitored? How often is this information produced?
• Have there been issues with the timely completion of batches or performance in the IT environment?
• How are batch processes planned and scheduled? How does this process ensure that batch processes are planned in a manner that ensures that the relevant data is
available for processing?
• How is the operation of batch processing documented for later review?
• Is there a UPS?
• How do you ensure that IT equipment being appropriately maintained? How are IT related faults logged?
• How do you ensure that disruptions do not occur due to hardware failure?
• Is data retained sufficiently to meet regulatory requirements?
• Do you perform capacity planning and monitor IT system performance? What are the procedures?
• Are BCPs and DRPs in place? Are they tested on a regular basis and kept current?
• Are service level agreements in place for all outsourced arrangement? Do these include appropriate security arrangements?
