GOVERNANCE AES 2012 INFORMATION TECHNOLOGY GENERAL COMPUTING CONTROLS (ITGC) CATALOG. Aut. / Man. Control ID # Key SOX Control. Prev. / Det.

Transcription

1 GOVERNANCE 8.A.1 - Objective: Information Technology strategies, plans, personnel and budgets are consistent with AES' business and strategic requirements and goals. Objective Risk Statement(s): - IT Projects, plans & budgets may not be in alignment with AES Business objectives, and may not be approved. - The IT Organization may not meet the business objectives causing potential lost revenue or business opportunities. Activity Description Strategic Planning 1 8.A.1.1 The IT strategy is documented and aligned with AES' business and strategic goals. The IT strategy should cover at a minimum staffing and resource planning, on-going and future projects, security / governance, and budget allocation (OPEX and CAPEX). IT strategy must be updated, reviewed and be approved by business management at a minimum on an annual basis. The Strategy must be communicated to relevant stakeholders. AES' CIO A P M 1) Obtain a copy of the IT strategy. 2) Review the IT strategy and determine if it is aligned with AES' business and strategic goals. 3) Determine if the IT strategy covers staffing and resource planning, ongoing and future projects, security / governance, and budget allocation (OPEX and CAPEX). 4) Determine if the IT strategy was updated, reviewed and be approved by business management for this year. 5) Determine if the Strategy was communicated to relevant stakeholders. 2 8.A.1.2 An Information Technology Council or Steering Committee is nominated to periodically review and approve all significant and critical IT projects to ensure alignment with AES' strategic business goals and requirements as well as utilize approved technologies. This committee membership should include representatives from the business and IT. 3 8.A.1.3 Job Descriptions for key IT positions are documented and maintained. Job descriptions clearly define technical skills and experiences required for the positions. AES' CIO / IT Leads A P M 1) Select a sample of projects from the current year. 2) Determine if the project was approved by the Steering Committee. 3) Determine if the project was reviewed to ensure that it was inline with business strategy. IT Leads A P M 1) Select a sample of jobs. 2) Determine if the job descriptions and requirements are clearly defined. 4 8.A.1.4 IT Personnel is clearly communicated his/her performance objectives for the year. Individual performance assessments are completed by the appropriate level of management and result is communicated to the individual at a minimum on an annual basis. 5 8.A.1.5 Key IT personnel receive periodic trainings. Formal training plan, documentation and attendance records must be retained. 6 8.A.1.6 On an annual basis, Internal Audit must provide an updated list of in-scope locations and financial cycles to AES IT. The AES IT group will map those key locations and cycles to the AES IT system(s) that support them. This list of systems will constitute AES' in-scope applications list. IT Leads A P M 1) Select a sample IT personnel. 2) Determine if the personnel have clearly defined performance objectives. 3) Determine if the personnel have been assessed within the year. AES' CIO / IT Leads A P M 1) Select a sample IT personnel. 2) Determine if the personnel have received periodic trainings in accordance with corporate policy. AES' CIO / IT Leads / Internal Audit A P M 1) Determine if AES internal audit has provided a key account, location and cycle scoping document to AES IT. 2) Obtain the mapping from AES key accounts, locations, and cycles to AES IT systems. 3) Examine for reasonableness. AES Corporation - Proprietary 1 of 9

2 8.A.2 - Objective: Information Technology policies and procedures have been developed and they define the documentation needed to support the proper use of the AES' critical systems. Objective Risk Statement(s): - IT Projects, plans & budgets may not be in alignment with AES Business objectives, and may not be approved. - IT Organization may not meet the business objectives causing potential lost revenue or business opportunities. Activity Description Policies and Procedures 7 8.A.2.1 AES Corporate and local IT groups have a documented Policy, which addresses the following IT areas: User Access (including end-user and privileged user administration) Operations Management (including systems backup / recovery & security / operations monitoring) Change Management Program Development IT Security Lead A P M 1) Determine if the AES' IT policies are regularly reviewed and updated as changes in the environment dictate. 2) When policies are changed, determine if management approves such changes. 3) Determine if policies are communicated to all business units on at least an annual basis. The IT Policy is approved by AES management, and communicated to relevant stakeholders at a minimum on an annual basis. 8 8.A.2.2 AES Corporate and local IT groups have detailed IT procedures which address the following IT areas: User Access (including end-user and privileged user administration) Operations Management (including systems backup / recovery & security / operations monitoring) Change Management Program Development IT Security Lead A P M 1) Determine if the AES' IT procedures are regularly reviewed and updated as changes in the environment dictate. 2) When procedures are changed, determine if management approves such changes. 3) Determine if procedures are communicated to all business units on at least an annual basis. These procedures are approved by AES management, and communicated to relevant stakeholders at a minimum on an annual basis. 9 8.A.2.3 For North America businesses, a Cyber Security policy is documented, maintained, approved by the appropriate level of management, and communicated to relevant stakeholders at a minimum on an annual basis. Policy addresses the requirements in North American Electric Reliability Council's (NERC) Cyber Security Standards (CIP-002 through CIP-009) including provision for emergency situations. IT Security Lead (NA Only) A P M Refer to 8.A A.2.4 IT Disaster Recovery Plan (DRP) is documented, maintained, approved by the appropriate level of management, and communicated to relevant stakeholders at a minimum on an annual basis. IT Operations Lead A P M Refer to 8.A A.2.5 Technology Risk Assessment Methodology is documented, maintained, approved by the appropriate level of management, and communicated to relevant stakeholders at a minimum on an annual basis. IT Security Lead / Internal Audit A P M Refer to 8.A.1.1. AES Corporation - Proprietary 2 of 9

3 8.A.3 - Objective: Third-party services are secure, accurate and available, support business needs, data processing integrity and are clearly defined in service agreements and contracts. Objective Risk Statement(s): - 3rd party arrangements and contact may not be approved by AES management and may not support business and IT strategic objectives. - 3rd party vendors may not be held accountable for the agreed upon service or product. - 3rd party arrangements may not be in compliance with local laws, regulations or statutes. Activity Description Third Party Services 12 8.A.3.1 A designated individual or contract administrator is responsible for regular monitoring and reporting on the achievement of the third-party service level performance criteria A.3.2 A formal contract / service agreement is defined and agreed for outsourced IT critical services before work is initiated, including definition of internal control requirements, and acceptance of AES' policies, procedures, compliance clauses and code of conduct. Contract / service agreements must include measurable Service Level Objectives based upon the agreed business requirements A.3.3 When outsourcing IT Services, based on the risk to AES; third party providers perform independent reviews of their security and produce an annual independent audit report (i.e. SOC 1 and/or SOC 2) or allow AES a "right to audit" on at minimum an annual basis. AES management reviews and assesses this report on an annual basis and determines if risks are appropriately mitigated A.3.4 Compliance with local and international Software Licensing Agreements will be maintained. Any unlicensed or unauthorized software found on user' computing equipment will be either removed or the proper licensing agreement will be acquired in a timely manner. IT Lead A P M 1) Determine if the management of third-party services has been assigned to appropriate individuals. Contract A P M 1) Review a sample of contracts and determine whether: - There is a definition of services to be performed. - The responsibilities for the controls over the systems have been adequately defined. - The third party has accepted compliance with the organization s policies and procedures, e.g., IT security policies and procedures, compliance language, code of conduct, etc. - The contracts were reviewed and signed by appropriate parties before work commenced. - The controls over financial reporting systems and subsystems described in the contract agree with those required by the organization. - There is a definition of measurable objectives for the services Contract A P M 1) Review a sample of critical outsourced service agreements and determine whether third-party service providers perform independent reviews of security, availability and processing integrity, e.g., SAS 70 report. 2) Obtain a sample of the most recent review and determine if there are any control deficiencies that would impact AES' operations. License A P M 1) Review a sample of applications and determine whether license requirements are met. AES Corporation - Proprietary 3 of 9

4 ACCESS MANAGEMENT 8.B.1 - Objective: Systems are appropriately secured to prevent unauthorized use, disclosure, modification, damage or loss of data. Objective Risk Statement(s): - Unauthorized access to sensitive or critical data may occur. - It may not be possible to establish accountability for changes to sensitive or critical data. - Data integrity may not be maintained. - Accounts may not be locked or removed in a timely manner, introducing additional risk of unauthorized access. - Unused or terminated accounts may remain active for an excessive period of time, use of these accounts may introduce the risk of fraud. - Access to IT systems for Contractors and non-aes employees may not be appropriate. Activity Description Logical Security - End-user Account Administration 16 8.B.1.1 All AES systems require end-users to authenticate with a valid and unique user ID and password prior to granting access. Strong passwords will be maintained and reset every one hundred twenty (120) days, at a maximum, for all user accounts on critical systems. System / X P A 1) Observe that in-scope systems require a password for login. 2) Obtain copy of the password settings. 3) Compare system settings with corporate policy to ensure compliance. 4) Inquire with system owner about naming conventions and user security B.1.2 When creating, modifying or deleting end-user accounts in AES systems, approval by an appropriate level of management must be obtained, documented and retained. X P M 1) Obtain a listing of all user creations, modifications, and deletions from HR. 2) Select of sample of user change forms based on the frequency of user creations, modifications, and deletions. 3) Obtain a listing of the approvers responsible for approving user changes. 4) For a sample of user change forms, determine if the appropriate level of management, per the list above, has approved the change request B.1.3 End-user master records for terminated employees and contractors must be disabled or removed within ten (10) business days for critical systems B.1.4 End-user profiles for transferred employees and contractors must be modified in accordance with the user change request within ten (10) business days for critical systems. X P M 1) Obtain a listing of terminated employees from HR and the dates that Notification was sent to the IT staff. 2) Select a sample based on the frequency of terminations. 3) Determine if terminated users are active in each system. 4) Where possible, based on system logs or user termination forms, determine if users were removed from the system within 10 business days. X P M 1) Obtain a listing of transferred employees from HR and the dates that Notification was sent to the IT staff. 2) Select a sample based on the frequency of transfers. 3) Determine if current access rights reflect their new location or responsibilities. 4) Where possible, based on system logs or user change forms, determine if users were changed in the system within 10 business days B.1.5 A current list of individuals with the authority to approve end-user account creation, modification and access reviews is maintained and updated as needed or when changes to personnel occur. IT Security Lead Q P M 1) Determine if a list of individuals with the authority to approve end-user account creation, modification and access reviews is maintained and updated periodically and at a minimum on a quarterly basis B.1.6 End-user accounts are disabled within a maximun of ninety (90) days of inactivity B.1.7 End-user sessions on AES systems are automatically locked after twenty (20) minutes of inactivity B.1.8 AES systems will display an "appropriate use" banner on the end-user screen upon all interactive access attempts B.1.26 For SAP production environments, end-user master records for non-aes personnel must automatically expire in accordance with the contract, service agreement, or business need. Master records expirations must be set to three (3) months at a maximum. User will be required to re-solicit their access rights via the regular local process. X P A / M 1) Determine if a security policy is set that disables accounts after 90 days of inactivity. 2) If no policy is set, determine if the 90 days limit is enforced through a manual process. X P A 1) Determine if a security policy is set that automatically locks screen after 20 minutes of inactivity. X P A 1) Determine if critical systems display "appropriate use" banners. X P A 1) Obtain a listing of non-aes accounts from each system. 2) Determine the process for expiring non-aes accounts in each system. 3) Select an appropriate sample of non-aes accounts and determine when they will expire and if their expiration date meets the stated control. AES Corporation - Proprietary 4 of 9

5 Activity Description Logical Security - Privileged Account Administration 25 8.B.1.9 Access to any privileged IDs in AES systems are restricted to authorized personnel only B.1.10 System delivered and generic user IDs (i.e. SAP*, Oracle, Root) must be locked, secured or disabled. At a minimum, default passwords for these accounts must be changed annually. X P A 1) Obtain a system generated listing of privileged accounts. 2) Obtain a system generated listing of users with access to those privileged accounts. 3) Obtain a listing of the approvers responsible for user changes. 4) For a sample of accounts based on risk, determine if the user's access is commensurate with job responsibilities. 5) Determine if the user's access was approved by the appropriate level of management, per the requested list above. Q P A / M 1) Obtain a system generated listing of all user accounts for each system 2) For a sample of generic/ delivered accounts based on risk, ensure that the account is disabled if there is no documented need for the account. 3) For a sample of generic/ delivered accounts based on risk, ensure that the account's password has been changed B.1.11 Security settings/parameters are configured to provide adequate security over AES systems. Security configuration is reviewed and approved on an annual basis B.1.12 Segregation of duties is maintained over requesting, approving, granting and monitoring access to critical systems. Q P A / M 1) Determine the settings for each in-scope system which are critical to the control environment. 2) Determine what the current state of those settings is and compare against expected results. X P A / M 1) Select a sample of user access requests. 2) Determine if any were requested, approved, or granted by the same person. Physical Security - Datacenters, computer / network and control rooms 29 8.B.1.13 Access to physical computing assets such as datacenters, computer / network and control rooms is restricted to only authorized personnel B.1.14 Safety, environmental and disaster prevention controls over critical technology components have been implemented and are maintained periodically and at a minimum on an annual basis B.1.15 The effectiveness of the security, safety, environmental, and disaster prevention control mechanisms is reviewed periodically and at a minimum on an at least on an annual basis to assess the business impact of potential threats to physical information resources. IT Operations Lead X P A / M 1) Obtain copies of access lists to the facilities. 2) Determine if the access lists are limited to the appropriate personnel 3) Determine if the facilities use physical security systems, such as key card access. IT Operations Lead A P / D A / M 1) Determine if physical security, safety, environmental and disaster prevention controls over critical technology components have been implemented and are maintained periodically and at a minimum on an annual basis. IT Operations Lead A D M 1) Determine if the effectiveness of the security, safety, environmental and disaster prevention control mechanisms is reviewed periodically and at a minimum on an at least on an annual basis to assess the business impact of potential threats to physical information resources. Network Security 32 8.B.1.16 Network infrastructure, including firewalls, IDS/IPS, routers, switches, network operating systems and other related devices, is properly configured to prevent unauthorized access. Network Engineer X P / D A 1) Determine the sufficiency and appropriateness of perimeter security controls, including firewalls and intrusion detection systems B.1.17 A network vulnerability assessment is performed periodically and at least on an annual basis to confirm that the network infrastructure is appropriately configured. Security findings are reviewed by the appropriate level of management and addressed in a timely manner. IT Security Lead / Network Engineer A D M 1) Select a sample of network vulnerability assessments. 2) Determine if the appropriate action was taken for any incidents B.1.18 Anti-virus software is installed, configured and regularly updated on all systems where technically feasible. System / IT Service Desk Lead X P / D A 1) Determine if appropriate antivirus systems are used to protect the integrity and security of critical AES' systems B.1.19 Encryption techniques are used to support the confidentiality of AES' sensitive, private and confidential data stored in AES' systems and /or sent from one system to another. System / Network Engineer X P A 1) Determine if data was encrypted when appropriate according to corporate policy B.1.20 Content filtering (i.e. anti-spam) techniques and systems are implemented to protect critical systems and data within the network security perimeter where technically feasible. System X P / D A 1) Determine if content filtering systems are implemented when appropriate, according to corporate policy. AES Corporation - Proprietary 5 of 9

6 Activity Description Security Monitoring 37 8.B.1.21 The use of privileged IDs is reviewed on a monthly basis. Improper use is reported to the Application Security & s Director within five (5) days of occurrrence and action is taken to remediate inappropriate activity B.1.22 System events are logged and reviewed periodically (Including attempts to gain unauthorized access to IT systems) at a minimum on a quarterly basis. Suspicious activity is reported to the appropriate level of management in a timely manner. When merited, appropriate action is taken to prevent further incidents. IT Security IT Security Q D M 1) Obtain copies of the logging, monitoring, and incident response policies and procedures, on a system by system basis. 2) Observe the logging parameters in the system and determine if it is configured to log the usage of privileged accounts. 3) From a sampling of the logs, determine if a weekly review of the logs has been performed. 4) Determine if appropriate action was taken for any unusual activities or incidents. Q D M 1) Select a sample of event logs. 2) Determine if the logs were reviewed at least quarterly. 3) Determine if the appropriate action was taken for any incidents B.1.23 End-user access rights to systems and data are reviewed periodically by management and at a minimum on an bi-annual basis to validate the appropriateness of end-user access based on job functions. Any discrepancies are addressed within ten (10) business days of receipt of notification from the approver for critical systems B.1.24 Personnel with access to privileged IDs are reviewed periodically and at a minimum on a quarterly basis to confirm that access privileges are appropriate and that they correspond with the individual roles and responsibilities. Any discrepancies are addressed within ten (10) business days B.1.25 The list of personnel with physical access to critical computing assets such as datacenters, computer / network and control room is reviewed periodically and at a minimum on a quarterly basis to confirm that access privileges are appropriate and that they correspond with the individual roles and responsibilities. Business Owner S-A D M 1) Obtain copies of the system account review procedures 2) Determine if an annual review of access rights was performed by the appropriate level of management 3) Determine if any discrepancies were escalated and then changed in the system. IT Security Lead Q D M 1) Obtain copies of the system account review procedures 2) Determine if a quarterly review of access rights has been performed by the level of management responsible for reviewing access rights. 3) Determine if any discrepancies were escalated and then fixed in the system. IT Security Lead Q D M 1) Determine if the list of personnel with access to critical computing assets such as datacenters, computer / network and control room is reviewed periodically and at a minimum on a quarterly basis to confirm that access privileges are appropriate and that they correspond with the individual roles and responsibilities. AES Corporation - Proprietary 6 of 9

7 CHANGE MANAGEMENT 8.C.1 - Objective: Changes to critical systems are authorized and appropriately tested before being migrated to production. Objective Risk Statement(s): - Production application program changes developed without the knowledge and authorization of appropriate parties may be invalid. - Unauthorized direct changes to production data or systems may result in inaccurate, incomplete, and/or invalid transactional or master data. - Application program changes (including critical/emergency changes) may not be sufficiently tested to ensure that the changes meet the needs (financial or operational) of the business and function properly. - Access to migrate application program changes to the production environment, perform development functions in production, modify production configuration settings, or perform administrative functions may be granted to unauthorized personnel resulting in accidental or invalid changes Activity Description Change Management 42 8.C.1.1 Each request for change to an AES system must be appropriately documented. Change Coordinator X P M 1) Obtain the change management procedure 2) Determine if each change selected for testing is in compliance with the required data to be captured as part of the change management procedure C.1.2 Changes to AES systems must be developed and tested in physically or logically segregated environment(s), separate from the production environment. IT Operations Lead X P M 1) Obtain a system generated listing of all system changes 2) Select a sample of changes based on frequency. 3) Determine if the sampled changes were tested/developed in an environment that is segregated from production C.1.3 Changes must be tested and documentation must be retained. Change Approver X P M 1) Obtain a listing of all system changes. 2) Select a sample of changes based on risk. 3) Determine if documentation for the changes was retained according to corporate policy C.1.4 Segregation of duties must exist between the person migrating a change into production, and the developers of the change. Programmers/Developers must not have functional access to the production environment. IT Security X P M 1) Determine, through an examination of user access lists, if any developers/testers have access to production. 2) If this is not possible due to limitations, obtain a listing of changes that where tested. 3) For the sampled changes, ensure that the person testing the change did not migrate the change into production C.1.5 A current list of individuals with the authority to approve changes to production environments are reviewed and updated on an annual basis or when changes to personnel occur C.1.6 Based on AES's list of authorized approvers (see control 8.C.1.5); each change must be approved prior to implementation C.1.7 Effectiveness of changes to production environment must be validated by the change requestor, if change was unsuccessful or did not meet the requirements, the change must be reverted or rolled-back. Change Coordinator A P M 1) Determine if a list of individuals with the authority to approve changes to critical production environments is maintained and updated periodically and at a minimum on an annual basis. Change Coordinator X P M 1) Obtain a system generated listing of all system changes 2) Obtain a listing of in-scope IT system and business owners. 2) Select a sample of changes based on frequency. 3) Determine if the sampled changes were approved by IT system and business owners, per the list above. Change Requestor M D M 1) Select a sample of changes to production environment. 2) Determine if the effectiveness of changes to production environment were validated by the change requestor. 3) Determine if for unsuccessful changes or changes that did not meet the requirements, that the changes were reverted or rolled-back. AES Corporation - Proprietary 7 of 9

8 OPERATIONS 8.D.1 - Objective: Backup and recovery procedures are implemented such that business critical systems and data can be recovered if needed. Objective Risk Statement(s): - Financial data loss may occur - Unauthorized access to sensitive or critical data may occur. - Data integrity may not be maintained. Activity Description Backup and Recovery 49 8.D.1.1 All systems are backed-up. Backup media must be retained according to the local or corporate data retention policy or any applicable legal requirements D.1.2 Scheduled backups jobs are monitored for failures; failures are resolved and remediated prior to the next full backup. Documentation of actions taken is retained D.1.3 A sample of backup media is periodically tested and at a minimum on a quarterly basis to ensure the viability of the data should restoration be required. If test is unsuccessful, remediation plan must be documented and implemented in a timely manner, reperform test if necessary D.1.4 All system backup media is stored in a separate secure location. Access to the stored backup media is restricted to only authorized personnel D.1.5 IT Disaster Recovery Plan must be tested periodically and at minimum on an annual basis. Results of the test must be communicated to the appropriate level of management. If test is unsuccessful, remediation plan must be documented and implemented in a timely manner, reperform test if necessary. 8.D.2 - Objective: Only authorized programs are executed and deviations from scheduled processing are identified and investigated, including controls over job scheduling, processing, error monitoring and system availability. Backup D P A 1) Obtain copies of backup policies and procedures. 2) Observe that backups are configured for the system. 3) Determine if the backups were retained according to policy. Backup M D A 1) Obtain copies of backup policies and procedures. 2) Observe that backups are monitored. 3) Determine if the appropriate action was taken for any failures. Backup Q D M 1) Select a sample of backup media. 2) Determine if the media was tested. 3) Determine if any issues were resolved. Backup M P M 1) Select a sample of backup media. 2) Determine if the media is stored is a separate and secure location. 3) Obtain a list of personnel with access to the media. 4) Determine if the access is appropriate. IT Operations Lead A P M 1) Obtain a copy of the IT disaster recovery plan. 2) Determine if the plan is tested annually, and if the results are communicated to the appropriate stakeholders. 3) Determined if remediation plans have been enacted for unsuccessful tests. Objective Risk Statement(s): - Financial data loss may occur - Unauthorized access to sensitive or critical data may occur. - Data integrity may not be maintained. Activity Description Job and Batch Scheduling 54 8.D.2.1 Access to create, modify and delete batch jobs within AES applications and batch management programs is restricted to only authorized users D.2.2 Critical scheduled jobs and batch activities are monitored for errors; errors are resolved in accordance with the system run book. 8.D.3 - Objective: Technology problems and / or incidents are properly recorded, responded to, resolved or investigated for proper resolution. X P A 1) Obtain a system generated listing of accounts with access to the job scheduler. 2) For a sample of accounts based on risk, determine if the user's access is commensurate with job responsibilities. 3) Determine if the user's access was approved by the level of management responsible for approving access. System W P M 1) Obtain copies of batch job policies and procedures. 2) Observe that batch jobs are monitored. 3) Determine if the appropriate action was taken for any errors. Objective Risk Statement(s): - Managing problems and incidents addresses how an organization identifies, documents and responds to events that fall outside of normal operations. Activity Description Incident Management 56 8.D.3.1 A technology service request, incident and problem management system is used to ensure that operational events that are not part of standard operations (incidents, problems and errors) are recorded, analyzed and resolved in a timely manner D.3.2 Technology service request, incidents and problems detected are addressed and responded to in a timely manner D.3.3 Service Level Objectives and Key Performance Indicators are defined to monitor critical IT services. Service Level Objectives and Key Performance Indicators are reviewed periodically and at a minimum on an annual basis by the appropriate level of management. Any found under-performing services are addressed in a timely manner. IT Service Desk Lead X P A 1) Determine if a technology service request, incident and problem management system is used to ensure that operational events that are not part of standard operations (incidents, problems and errors) are recorded, analyzed and resolved in a timely manner. IT Service Desk Lead X P M / A 1) Select a sample of service requests or incidents 2) Determine if the requests were responded to in a timely manner, according to corporate policy. IT Service Desk Lead A D M 1) Obtain and test evidence that service levels are being actively managed in accordance with service level agreements. AES Corporation - Proprietary 8 of 9

9 PROGRAM DEVELOPMENT 8.E.1 Objective: New applications, systems and infrastructure components are acquired or developed to effectively support business requirements and are appropriately tested and validated prior to being placed into production. Objective Risk Statement(s): - IT Projects, plans & budgets may not be in alignment with AES Business objectives, and may not be approved. - The IT Organization may not meet the business objectives causing potential lost revenue or business opportunities. Activity Description Acquire and Maintain Systems 59 8.E.1.1 Business owners participate in, and approve, the selection and design of business applications to ensure they meet business requirements. Approval of the development requirements for each new project must be documented by the IT management and business stakeholders prior to the initiation of a new project E.1.2 The IT Steering Committee periodically reviews significant and / or critical proposed and on-going IT projects to ensure alignment with AES' strategic business goals and requirements as well as the utilization of approved technologies. Project Manager X P M 1) Select a sample of projects from the current year. 2) Obtain a list of the appropriate project approvers. 3) Determine if the project was approved before the project was initiated 4) Determine if the project was reviewed to ensure that it was inline with business strategy. IT Leader Q P M 1) Select a sample of projects from the current year. 2) Determine if the project was approved by the Steering Committee. 3) Determine if the project was reviewed to ensure that it was inline with business strategy E.1.3 For system implementation and upgrade activities, a risk assessment should be performed to determine the extent of IT controls that are required, and the level of documentation appropriate; a review of the existing and planned system controls should be performed. Project Manager / Internal Audit X D M 1) Select a sample of financially significant projects deployed in the current year. 2) Determine if controls were considered in the design and deployment of the sampled system(s) 3) Obtain evidence that controls were tested prior to implementation E.1.4 Based on the risk to AES; perform independent pre/post-implementation reviews to verify that controls are operating effectively. Interfaces with other systems, data migration / data conversions, systems configuration, and segregation of duties for both end-users and administrators may be tested to confirm that the new implementation supports the existing IT controls environment. Results are documented and are reviewed by appropriate level of management. Remediation plans / management responses are documented for all identified control weaknesses E.1.5 Based on the implementation's risk to AES; test strategies are developed, documented and executed for critical systems being developed or acquired in accordance with the IT Program Development Document. Test strategies addresses at a minimum: system performance, end-user acceptance testing and data integrity such that deployed systems operate as intended E.1.6 System support and any required user documentation is created for all new developed or acquired business critical applications and systems. Documentation is communicated to IT support personnel and other relevant IT and business stakeholders. Internal Audit X D M 1) Determine if post-implementation reviews are performed on new systems and significant changes reported. 2) Examine post-implementation reviews over in-scope systems for reasonableness. Project Manager X D M / A 1) Select a sample of projects from the current year. 2) For the sampled projects, determine if the projects followed the documented project strategy and plan. 3) Determine if the project strategy addressed at a minimum system performance, and end-user acceptance testing and data integrity so that deployed systems operate as intended. Project Manager X P M 1) Select a sample of critical projects. 2) Determine if user reference and support manuals and systems documentation and operations documentation were prepared E.1.7 Appropriate end user training should be performed for new systems and upgrades. 1) Select a sample of critical projects. 2) Determine if training was performed for each selected project and if training was appropriate based on the complexity and scope of the project E.1.8 Prior to final go-live of any new critical systems or projects, approval for that go-live must be obtained and documented by both. appropriate IT management and the Business application owner (or business stakeholder) Project Manager X D M / A 1) Select a sample of projects from the current year. 2) Obtain a list of the appropriate project approvers. 3) Determine if the project was approved before the go live date. AES Corporation - Proprietary 9 of 9