Scribd Logo
Upload

Welcome to Scribd!

  • 22 views

    Audit Program v2

    Uploaded by

    Raraj
    The document is an audit program guide from Navarro Amper and Company for Access Security Administration at Philippine Veterans Bank. It outlines the key objectives of determining if logical security tools are implemented and configured properly to restrict access, if all information resources have appropriate logical security controls, and if logical security tools are administered correctly to restrict access to programs and data. It then provides details on testing user access controls, including compliance with various policies, procedures, standards and reviewing access privileges, security tools, audit logs, procedures for employee role changes, limiting administrator access, and controlling privileged access.

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd

    Audit Program v2

    Uploaded by

    Raraj
    22 views16 pages
    The document is an audit program guide from Navarro Amper and Company for Access Security Administration at Philippine Veterans Bank. It outlines the key objectives of determining if logical security tools are implemented and configured properly to restrict access, if all information resources have appropriate logical security controls, and if logical security tools are administered correctly to restrict access to programs and data. It then provides details on testing user access controls, including compliance with various policies, procedures, standards and reviewing access privileges, security tools, audit logs, procedures for employee role changes, limiting administrator access, and controlling privileged access.

    Original Description:

    k

    Copyright

    © © All Rights Reserved

    Available Formats

    XLSX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The document is an audit program guide from Navarro Amper and Company for Access Security Administration at Philippine Veterans Bank. It outlines the key objectives of determining if logical security tools are implemented and configured properly to restrict access, if all information resources have appropriate logical security controls, and if logical security tools are administered correctly to restrict access to programs and data. It then provides details on testing user access controls, including compliance with various policies, procedures, standards and reviewing access privileges, security tools, audit logs, procedures for employee role changes, limiting administrator access, and controlling privileged access.

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Download as xlsx, pdf, or txt
    22 views16 pages

    Audit Program v2

    Uploaded by

    Raraj
    The document is an audit program guide from Navarro Amper and Company for Access Security Administration at Philippine Veterans Bank. It outlines the key objectives of determining if logical security tools are implemented and configured properly to restrict access, if all information resources have appropriate logical security controls, and if logical security tools are administered correctly to restrict access to programs and data. It then provides details on testing user access controls, including compliance with various policies, procedures, standards and reviewing access privileges, security tools, audit logs, procedures for employee role changes, limiting administrator access, and controlling privileged access.

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Download as xlsx, pdf, or txt
    You are on page 1of 16

    Navarro Amper and Company

    (Deloitte Philippines)

    Audit Program Guide


    for
    Access Security Administration

    Philippine Veterans Bank


    Makati City

    Key Objectives
    To determine and verify the following

    Logical security tools and techniques are implemented and configured to enable restriction o
    All information resources are subject to appropriate logical security.
    Logical security tools and techniques are administered to restrict access to programs, data,
    Testing should include:
    Compliance with bank policies, procedures and regulatory requirements
    Compliance to BSP Circular 808
    Compliance with the ISO27001

    Coverage
    User Access Controls

    ured to enable restriction of access to application system.


    access to programs, data, and other information resources.

    USER ACCESS CONTROLS


    Objectives

    <A> Logical security tools and techniques are implemented and configured to ena
    <B> All information resources are subject to appropriate logical security.
    <C> Logical security tools and techniques are administered to restrict access to p
    * Covered period: April 1,2014 to March 31,2015
    No.

    Obj

    ecurity tools and techniques are implemented and configured to enable restriction of access to application system.
    mation resources are subject to appropriate logical security.
    ecurity tools and techniques are administered to restrict access to programs, data, and other information resources.
    eriod: April 1,2014 to March 31,2015
    Detailed Objective

    Control Activity Type

    Application owners authorize the nature and extent of user


    access privileges and such privileges are periodically
    reviewed by application owners to ensure access privileges
    remain appropriate.

    Preventive

    Information security tools include functionality designed to


    restrict and monitor access to application system. Such
    functionality typically includes restricting the nature and
    extent of users access privileges, log authorized and
    unauthorized attempts to access information resources.

    Detective

    Information security tools include functionality designed to


    restrict and monitor access to application system. Such
    functionality typically includes restricting the nature and
    extent of users access privileges, log authorized and
    unauthorized attempts to access information resources.

    Detective

    The security administrator is notified of employees who have Preventive


    changed roles and responsibilities, transferred, or been
    terminated. Access privileges of such employees are
    immediately changed to reflect their new status.

    The authority to administer user access information security Preventive


    is limited to appropriate personnel.

    Use of privileged access (the so-called "super user" and


    supplier default user) is limited to appropriate personnel,
    logged and reviewed.

    Preventive

    to application system.

    r information resources.

    Control Nature

    IT Nature

    Control
    Rating

    Manual

    IT Dependent

    Medium

    Manual

    IT Dependent

    Medium

    Manual

    IT Dependent

    Medium

    Manual

    IT Dependent

    Medium

    Automated

    IT Dependent

    High

    Manual

    IT Dependent

    Medium

    Testing Procedure
    (Detailed and step-by-step procedures are shown in the
    working papers)

    WP Ref

    T1.1
    T1.1 Understand and document the policies and
    procedures related to the authorization of user access to
    data and application systems.
    T1.2
    T1.2 Determine completeness of request form and
    timeliness of its maintenance in the system.
    T1.3 Determine creation and maintenance of user access T1.3
    matrix.
    T1.4
    T1.4 Determine appropriateness of user access given to
    users for every application/system.
    T1.5
    T1.5 Determine appropriateness of controls over shared
    accounts for every application/system.
    T1.6 Determine existence and effectivity of user access T1.6
    periodic review.

    T2.1 Understand and document the policies and


    procedures related to the unauthorized attempts and
    T2.1
    audit trail reporting.
    T2.2 Determine existence and effectivity of login history T2.2
    reporting process.

    T2.3 Determine existence and effectivity of audit trail


    T2.3
    existence (trace sample items to the source documents).
    T3.1 Understand and document the policies and
    procedures relating to notifications for employee roles
    changes, transfer and resignation/termination.

    T3.1

    T3.2 Determine timeliness of information to-and-from


    T3.2
    HR and IT (user access rights provider) and test whether
    access are granted/revoked in a timely manner.
    T4.1 Understand and document the policies and
    procedures related to the user access information
    security.

    T4.1

    T4.2 Determine name and User ID and the user access


    privileges granted to the user access administrator.

    T4.2

    T5.1 Understand and document the policies and


    procedures related to the limitation of usage, logging
    and reviewing of privileged access (the so called "super
    user") and supplier default users.

    T5.1

    T5.2 Determine (a) IDs for super-users and default


    supplier , and who uses them (b) their password
    changes history and (c) access validity.

    T5.2

    T5.3 Determine review process of super-users and


    default users activity.

    T5.3

    Interview Topic
    (this is not limited to the specific testing procedure but rather will
    cater to the specific objective as a whole)
    * Access provision process
    - forms used
    - who initiates, approves and effects the request form.
    * Creation and maintenance of User Access Matrix
    - who creates, approves and reviews.
    * User Access review process
    - who extracts and sent to whom
    - who reviews

    * User login (successful and not successful) summary reporting


    process.
    * User access rights changes review and reporting process.

    * User login (successful and not successful) summary reporting


    process.
    * User access rights changes review and reporting process.

    * Process and timeliness of HR informing IT Group (User Access


    provider) or IT Group inquiring HR during employee (a) change of
    responsibilites (b) transfer of department and (3)
    resignation/termination.

    * Process of administering user access information security.


    - who is the responsible department.

    * Maintenance of super-user and supplier default IDs.


    - Validity
    - Change of user passwords
    *Review of access made by super-user

    Test of Control Documentation


    (this is not limited to the specific testing procedure but rather will
    cater to the specific objective as a whole)
    * Policy relating to (1) user access rights (2) user access matrix and
    (3) user access review.
    * Actual request forms
    * List of users per application/system
    * User access matrix
    * Evidence of periodic review, if applicable.

    * Policy relating to (1) user login reporting process and (2) user
    access rights changes review.
    * Audit trail report on the changes and login. Note on the process of
    generation and distribution.

    * Policy relating to (1) user login reporting process and (2) user
    access rights changes review.
    * Audit trail report on the changes and login. Note on the process of
    generation and distribution.

    * Policy relating to HR informing IT or IT inquiring HR Group for any


    employee movement.
    * List of employees who (a) changed roles (b) transferred to another
    department and (c) resigned/terminated.

    * Policy relating to administering user access information security.

    * Policy relating to super-user and supplier default user.


    *List of super-user and default user for all applications, if any.

    You might also like