|
Management must dedicate its commitment to competence and proper behaviour involving IT, and provide proper training in this area. Human capital policies also play a key role in establishing a positive control environment for IT issues.
|
At the general controls level, the agency has not:
- limited user access to only that needed by users to perform their duties;
- developed adequate system software controls to protect programs and sensitive data;
- documented software changes;
- segregated incompatible duties;
- addressed service continuity;
- protected its network from unauthorized traffic.
At the application controls level, the agency has not maintained access authorizations.
(This is not an example
of good practice!)
|
The agency can:
- implement logical (e.g. passwords) and physical access controls (e.g. locks, ID badges,
alarms);
- deny the ability to log in to the operating system for application users;
- limit access to the production environment for the application development staff;
- use audit logs to register all access (attempts) and commands to detect security violations;
- have a contingency and disaster recovery plan to ensure the availability of critical resources and facilitate the continuity of operations;
- have firewalls and monitor the web server activity to secure the network traffic.
|
Procedures on IT control should be available and software changes should be documented before the software is placed in operation. Policies and job descriptions supporting the principles of segregation of duties should be developed. Audit logs on access (attempts) and (unauthorized) commands should be periodically reported and reviewed.
|
Performing an IT audit, doing a disaster simulation exercise, and monitoring the web server activity, can be part of monitoring the IT environment.
|
