GOVERNANCE AES 2012 INFORMATION TECHNOLOGY GENERAL COMPUTING CONTROLS (ITGC) CATALOG. Aut. / Man. Control ID # Key SOX Control. Prev. / Det.
|
|
- Joy Nash
- 6 years ago
- Views:
Transcription
1 GOVERNANCE 8.A.1 - Objective: Information Technology strategies, plans, personnel and budgets are consistent with AES' business and strategic requirements and goals. Objective Risk Statement(s): - IT Projects, plans & budgets may not be in alignment with AES Business objectives, and may not be approved. - The IT Organization may not meet the business objectives causing potential lost revenue or business opportunities. Activity Description Strategic Planning 1 8.A.1.1 The IT strategy is documented and aligned with AES' business and strategic goals. The IT strategy should cover at a minimum staffing and resource planning, on-going and future projects, security / governance, and budget allocation (OPEX and CAPEX). IT strategy must be updated, reviewed and be approved by business management at a minimum on an annual basis. The Strategy must be communicated to relevant stakeholders. AES' CIO A P M 1) Obtain a copy of the IT strategy. 2) Review the IT strategy and determine if it is aligned with AES' business and strategic goals. 3) Determine if the IT strategy covers staffing and resource planning, ongoing and future projects, security / governance, and budget allocation (OPEX and CAPEX). 4) Determine if the IT strategy was updated, reviewed and be approved by business management for this year. 5) Determine if the Strategy was communicated to relevant stakeholders. 2 8.A.1.2 An Information Technology Council or Steering Committee is nominated to periodically review and approve all significant and critical IT projects to ensure alignment with AES' strategic business goals and requirements as well as utilize approved technologies. This committee membership should include representatives from the business and IT. 3 8.A.1.3 Job Descriptions for key IT positions are documented and maintained. Job descriptions clearly define technical skills and experiences required for the positions. AES' CIO / IT Leads A P M 1) Select a sample of projects from the current year. 2) Determine if the project was approved by the Steering Committee. 3) Determine if the project was reviewed to ensure that it was inline with business strategy. IT Leads A P M 1) Select a sample of jobs. 2) Determine if the job descriptions and requirements are clearly defined. 4 8.A.1.4 IT Personnel is clearly communicated his/her performance objectives for the year. Individual performance assessments are completed by the appropriate level of management and result is communicated to the individual at a minimum on an annual basis. 5 8.A.1.5 Key IT personnel receive periodic trainings. Formal training plan, documentation and attendance records must be retained. 6 8.A.1.6 On an annual basis, Internal Audit must provide an updated list of in-scope locations and financial cycles to AES IT. The AES IT group will map those key locations and cycles to the AES IT system(s) that support them. This list of systems will constitute AES' in-scope applications list. IT Leads A P M 1) Select a sample IT personnel. 2) Determine if the personnel have clearly defined performance objectives. 3) Determine if the personnel have been assessed within the year. AES' CIO / IT Leads A P M 1) Select a sample IT personnel. 2) Determine if the personnel have received periodic trainings in accordance with corporate policy. AES' CIO / IT Leads / Internal Audit A P M 1) Determine if AES internal audit has provided a key account, location and cycle scoping document to AES IT. 2) Obtain the mapping from AES key accounts, locations, and cycles to AES IT systems. 3) Examine for reasonableness. AES Corporation - Proprietary 1 of 9
2 8.A.2 - Objective: Information Technology policies and procedures have been developed and they define the documentation needed to support the proper use of the AES' critical systems. Objective Risk Statement(s): - IT Projects, plans & budgets may not be in alignment with AES Business objectives, and may not be approved. - IT Organization may not meet the business objectives causing potential lost revenue or business opportunities. Activity Description Policies and Procedures 7 8.A.2.1 AES Corporate and local IT groups have a documented Policy, which addresses the following IT areas: User Access (including end-user and privileged user administration) Operations Management (including systems backup / recovery & security / operations monitoring) Change Management Program Development IT Security Lead A P M 1) Determine if the AES' IT policies are regularly reviewed and updated as changes in the environment dictate. 2) When policies are changed, determine if management approves such changes. 3) Determine if policies are communicated to all business units on at least an annual basis. The IT Policy is approved by AES management, and communicated to relevant stakeholders at a minimum on an annual basis. 8 8.A.2.2 AES Corporate and local IT groups have detailed IT procedures which address the following IT areas: User Access (including end-user and privileged user administration) Operations Management (including systems backup / recovery & security / operations monitoring) Change Management Program Development IT Security Lead A P M 1) Determine if the AES' IT procedures are regularly reviewed and updated as changes in the environment dictate. 2) When procedures are changed, determine if management approves such changes. 3) Determine if procedures are communicated to all business units on at least an annual basis. These procedures are approved by AES management, and communicated to relevant stakeholders at a minimum on an annual basis. 9 8.A.2.3 For North America businesses, a Cyber Security policy is documented, maintained, approved by the appropriate level of management, and communicated to relevant stakeholders at a minimum on an annual basis. Policy addresses the requirements in North American Electric Reliability Council's (NERC) Cyber Security Standards (CIP-002 through CIP-009) including provision for emergency situations. IT Security Lead (NA Only) A P M Refer to 8.A A.2.4 IT Disaster Recovery Plan (DRP) is documented, maintained, approved by the appropriate level of management, and communicated to relevant stakeholders at a minimum on an annual basis. IT Operations Lead A P M Refer to 8.A A.2.5 Technology Risk Assessment Methodology is documented, maintained, approved by the appropriate level of management, and communicated to relevant stakeholders at a minimum on an annual basis. IT Security Lead / Internal Audit A P M Refer to 8.A.1.1. AES Corporation - Proprietary 2 of 9
3 8.A.3 - Objective: Third-party services are secure, accurate and available, support business needs, data processing integrity and are clearly defined in service agreements and contracts. Objective Risk Statement(s): - 3rd party arrangements and contact may not be approved by AES management and may not support business and IT strategic objectives. - 3rd party vendors may not be held accountable for the agreed upon service or product. - 3rd party arrangements may not be in compliance with local laws, regulations or statutes. Activity Description Third Party Services 12 8.A.3.1 A designated individual or contract administrator is responsible for regular monitoring and reporting on the achievement of the third-party service level performance criteria A.3.2 A formal contract / service agreement is defined and agreed for outsourced IT critical services before work is initiated, including definition of internal control requirements, and acceptance of AES' policies, procedures, compliance clauses and code of conduct. Contract / service agreements must include measurable Service Level Objectives based upon the agreed business requirements A.3.3 When outsourcing IT Services, based on the risk to AES; third party providers perform independent reviews of their security and produce an annual independent audit report (i.e. SOC 1 and/or SOC 2) or allow AES a "right to audit" on at minimum an annual basis. AES management reviews and assesses this report on an annual basis and determines if risks are appropriately mitigated A.3.4 Compliance with local and international Software Licensing Agreements will be maintained. Any unlicensed or unauthorized software found on user' computing equipment will be either removed or the proper licensing agreement will be acquired in a timely manner. IT Lead A P M 1) Determine if the management of third-party services has been assigned to appropriate individuals. Contract A P M 1) Review a sample of contracts and determine whether: - There is a definition of services to be performed. - The responsibilities for the controls over the systems have been adequately defined. - The third party has accepted compliance with the organization s policies and procedures, e.g., IT security policies and procedures, compliance language, code of conduct, etc. - The contracts were reviewed and signed by appropriate parties before work commenced. - The controls over financial reporting systems and subsystems described in the contract agree with those required by the organization. - There is a definition of measurable objectives for the services Contract A P M 1) Review a sample of critical outsourced service agreements and determine whether third-party service providers perform independent reviews of security, availability and processing integrity, e.g., SAS 70 report. 2) Obtain a sample of the most recent review and determine if there are any control deficiencies that would impact AES' operations. License A P M 1) Review a sample of applications and determine whether license requirements are met. AES Corporation - Proprietary 3 of 9
4 ACCESS MANAGEMENT 8.B.1 - Objective: Systems are appropriately secured to prevent unauthorized use, disclosure, modification, damage or loss of data. Objective Risk Statement(s): - Unauthorized access to sensitive or critical data may occur. - It may not be possible to establish accountability for changes to sensitive or critical data. - Data integrity may not be maintained. - Accounts may not be locked or removed in a timely manner, introducing additional risk of unauthorized access. - Unused or terminated accounts may remain active for an excessive period of time, use of these accounts may introduce the risk of fraud. - Access to IT systems for Contractors and non-aes employees may not be appropriate. Activity Description Logical Security - End-user Account Administration 16 8.B.1.1 All AES systems require end-users to authenticate with a valid and unique user ID and password prior to granting access. Strong passwords will be maintained and reset every one hundred twenty (120) days, at a maximum, for all user accounts on critical systems. System / X P A 1) Observe that in-scope systems require a password for login. 2) Obtain copy of the password settings. 3) Compare system settings with corporate policy to ensure compliance. 4) Inquire with system owner about naming conventions and user security B.1.2 When creating, modifying or deleting end-user accounts in AES systems, approval by an appropriate level of management must be obtained, documented and retained. X P M 1) Obtain a listing of all user creations, modifications, and deletions from HR. 2) Select of sample of user change forms based on the frequency of user creations, modifications, and deletions. 3) Obtain a listing of the approvers responsible for approving user changes. 4) For a sample of user change forms, determine if the appropriate level of management, per the list above, has approved the change request B.1.3 End-user master records for terminated employees and contractors must be disabled or removed within ten (10) business days for critical systems B.1.4 End-user profiles for transferred employees and contractors must be modified in accordance with the user change request within ten (10) business days for critical systems. X P M 1) Obtain a listing of terminated employees from HR and the dates that Notification was sent to the IT staff. 2) Select a sample based on the frequency of terminations. 3) Determine if terminated users are active in each system. 4) Where possible, based on system logs or user termination forms, determine if users were removed from the system within 10 business days. X P M 1) Obtain a listing of transferred employees from HR and the dates that Notification was sent to the IT staff. 2) Select a sample based on the frequency of transfers. 3) Determine if current access rights reflect their new location or responsibilities. 4) Where possible, based on system logs or user change forms, determine if users were changed in the system within 10 business days B.1.5 A current list of individuals with the authority to approve end-user account creation, modification and access reviews is maintained and updated as needed or when changes to personnel occur. IT Security Lead Q P M 1) Determine if a list of individuals with the authority to approve end-user account creation, modification and access reviews is maintained and updated periodically and at a minimum on a quarterly basis B.1.6 End-user accounts are disabled within a maximun of ninety (90) days of inactivity B.1.7 End-user sessions on AES systems are automatically locked after twenty (20) minutes of inactivity B.1.8 AES systems will display an "appropriate use" banner on the end-user screen upon all interactive access attempts B.1.26 For SAP production environments, end-user master records for non-aes personnel must automatically expire in accordance with the contract, service agreement, or business need. Master records expirations must be set to three (3) months at a maximum. User will be required to re-solicit their access rights via the regular local process. X P A / M 1) Determine if a security policy is set that disables accounts after 90 days of inactivity. 2) If no policy is set, determine if the 90 days limit is enforced through a manual process. X P A 1) Determine if a security policy is set that automatically locks screen after 20 minutes of inactivity. X P A 1) Determine if critical systems display "appropriate use" banners. X P A 1) Obtain a listing of non-aes accounts from each system. 2) Determine the process for expiring non-aes accounts in each system. 3) Select an appropriate sample of non-aes accounts and determine when they will expire and if their expiration date meets the stated control. AES Corporation - Proprietary 4 of 9
5 Activity Description Logical Security - Privileged Account Administration 25 8.B.1.9 Access to any privileged IDs in AES systems are restricted to authorized personnel only B.1.10 System delivered and generic user IDs (i.e. SAP*, Oracle, Root) must be locked, secured or disabled. At a minimum, default passwords for these accounts must be changed annually. X P A 1) Obtain a system generated listing of privileged accounts. 2) Obtain a system generated listing of users with access to those privileged accounts. 3) Obtain a listing of the approvers responsible for user changes. 4) For a sample of accounts based on risk, determine if the user's access is commensurate with job responsibilities. 5) Determine if the user's access was approved by the appropriate level of management, per the requested list above. Q P A / M 1) Obtain a system generated listing of all user accounts for each system 2) For a sample of generic/ delivered accounts based on risk, ensure that the account is disabled if there is no documented need for the account. 3) For a sample of generic/ delivered accounts based on risk, ensure that the account's password has been changed B.1.11 Security settings/parameters are configured to provide adequate security over AES systems. Security configuration is reviewed and approved on an annual basis B.1.12 Segregation of duties is maintained over requesting, approving, granting and monitoring access to critical systems. Q P A / M 1) Determine the settings for each in-scope system which are critical to the control environment. 2) Determine what the current state of those settings is and compare against expected results. X P A / M 1) Select a sample of user access requests. 2) Determine if any were requested, approved, or granted by the same person. Physical Security - Datacenters, computer / network and control rooms 29 8.B.1.13 Access to physical computing assets such as datacenters, computer / network and control rooms is restricted to only authorized personnel B.1.14 Safety, environmental and disaster prevention controls over critical technology components have been implemented and are maintained periodically and at a minimum on an annual basis B.1.15 The effectiveness of the security, safety, environmental, and disaster prevention control mechanisms is reviewed periodically and at a minimum on an at least on an annual basis to assess the business impact of potential threats to physical information resources. IT Operations Lead X P A / M 1) Obtain copies of access lists to the facilities. 2) Determine if the access lists are limited to the appropriate personnel 3) Determine if the facilities use physical security systems, such as key card access. IT Operations Lead A P / D A / M 1) Determine if physical security, safety, environmental and disaster prevention controls over critical technology components have been implemented and are maintained periodically and at a minimum on an annual basis. IT Operations Lead A D M 1) Determine if the effectiveness of the security, safety, environmental and disaster prevention control mechanisms is reviewed periodically and at a minimum on an at least on an annual basis to assess the business impact of potential threats to physical information resources. Network Security 32 8.B.1.16 Network infrastructure, including firewalls, IDS/IPS, routers, switches, network operating systems and other related devices, is properly configured to prevent unauthorized access. Network Engineer X P / D A 1) Determine the sufficiency and appropriateness of perimeter security controls, including firewalls and intrusion detection systems B.1.17 A network vulnerability assessment is performed periodically and at least on an annual basis to confirm that the network infrastructure is appropriately configured. Security findings are reviewed by the appropriate level of management and addressed in a timely manner. IT Security Lead / Network Engineer A D M 1) Select a sample of network vulnerability assessments. 2) Determine if the appropriate action was taken for any incidents B.1.18 Anti-virus software is installed, configured and regularly updated on all systems where technically feasible. System / IT Service Desk Lead X P / D A 1) Determine if appropriate antivirus systems are used to protect the integrity and security of critical AES' systems B.1.19 Encryption techniques are used to support the confidentiality of AES' sensitive, private and confidential data stored in AES' systems and /or sent from one system to another. System / Network Engineer X P A 1) Determine if data was encrypted when appropriate according to corporate policy B.1.20 Content filtering (i.e. anti-spam) techniques and systems are implemented to protect critical systems and data within the network security perimeter where technically feasible. System X P / D A 1) Determine if content filtering systems are implemented when appropriate, according to corporate policy. AES Corporation - Proprietary 5 of 9
6 Activity Description Security Monitoring 37 8.B.1.21 The use of privileged IDs is reviewed on a monthly basis. Improper use is reported to the Application Security & s Director within five (5) days of occurrrence and action is taken to remediate inappropriate activity B.1.22 System events are logged and reviewed periodically (Including attempts to gain unauthorized access to IT systems) at a minimum on a quarterly basis. Suspicious activity is reported to the appropriate level of management in a timely manner. When merited, appropriate action is taken to prevent further incidents. IT Security IT Security Q D M 1) Obtain copies of the logging, monitoring, and incident response policies and procedures, on a system by system basis. 2) Observe the logging parameters in the system and determine if it is configured to log the usage of privileged accounts. 3) From a sampling of the logs, determine if a weekly review of the logs has been performed. 4) Determine if appropriate action was taken for any unusual activities or incidents. Q D M 1) Select a sample of event logs. 2) Determine if the logs were reviewed at least quarterly. 3) Determine if the appropriate action was taken for any incidents B.1.23 End-user access rights to systems and data are reviewed periodically by management and at a minimum on an bi-annual basis to validate the appropriateness of end-user access based on job functions. Any discrepancies are addressed within ten (10) business days of receipt of notification from the approver for critical systems B.1.24 Personnel with access to privileged IDs are reviewed periodically and at a minimum on a quarterly basis to confirm that access privileges are appropriate and that they correspond with the individual roles and responsibilities. Any discrepancies are addressed within ten (10) business days B.1.25 The list of personnel with physical access to critical computing assets such as datacenters, computer / network and control room is reviewed periodically and at a minimum on a quarterly basis to confirm that access privileges are appropriate and that they correspond with the individual roles and responsibilities. Business Owner S-A D M 1) Obtain copies of the system account review procedures 2) Determine if an annual review of access rights was performed by the appropriate level of management 3) Determine if any discrepancies were escalated and then changed in the system. IT Security Lead Q D M 1) Obtain copies of the system account review procedures 2) Determine if a quarterly review of access rights has been performed by the level of management responsible for reviewing access rights. 3) Determine if any discrepancies were escalated and then fixed in the system. IT Security Lead Q D M 1) Determine if the list of personnel with access to critical computing assets such as datacenters, computer / network and control room is reviewed periodically and at a minimum on a quarterly basis to confirm that access privileges are appropriate and that they correspond with the individual roles and responsibilities. AES Corporation - Proprietary 6 of 9
7 CHANGE MANAGEMENT 8.C.1 - Objective: Changes to critical systems are authorized and appropriately tested before being migrated to production. Objective Risk Statement(s): - Production application program changes developed without the knowledge and authorization of appropriate parties may be invalid. - Unauthorized direct changes to production data or systems may result in inaccurate, incomplete, and/or invalid transactional or master data. - Application program changes (including critical/emergency changes) may not be sufficiently tested to ensure that the changes meet the needs (financial or operational) of the business and function properly. - Access to migrate application program changes to the production environment, perform development functions in production, modify production configuration settings, or perform administrative functions may be granted to unauthorized personnel resulting in accidental or invalid changes Activity Description Change Management 42 8.C.1.1 Each request for change to an AES system must be appropriately documented. Change Coordinator X P M 1) Obtain the change management procedure 2) Determine if each change selected for testing is in compliance with the required data to be captured as part of the change management procedure C.1.2 Changes to AES systems must be developed and tested in physically or logically segregated environment(s), separate from the production environment. IT Operations Lead X P M 1) Obtain a system generated listing of all system changes 2) Select a sample of changes based on frequency. 3) Determine if the sampled changes were tested/developed in an environment that is segregated from production C.1.3 Changes must be tested and documentation must be retained. Change Approver X P M 1) Obtain a listing of all system changes. 2) Select a sample of changes based on risk. 3) Determine if documentation for the changes was retained according to corporate policy C.1.4 Segregation of duties must exist between the person migrating a change into production, and the developers of the change. Programmers/Developers must not have functional access to the production environment. IT Security X P M 1) Determine, through an examination of user access lists, if any developers/testers have access to production. 2) If this is not possible due to limitations, obtain a listing of changes that where tested. 3) For the sampled changes, ensure that the person testing the change did not migrate the change into production C.1.5 A current list of individuals with the authority to approve changes to production environments are reviewed and updated on an annual basis or when changes to personnel occur C.1.6 Based on AES's list of authorized approvers (see control 8.C.1.5); each change must be approved prior to implementation C.1.7 Effectiveness of changes to production environment must be validated by the change requestor, if change was unsuccessful or did not meet the requirements, the change must be reverted or rolled-back. Change Coordinator A P M 1) Determine if a list of individuals with the authority to approve changes to critical production environments is maintained and updated periodically and at a minimum on an annual basis. Change Coordinator X P M 1) Obtain a system generated listing of all system changes 2) Obtain a listing of in-scope IT system and business owners. 2) Select a sample of changes based on frequency. 3) Determine if the sampled changes were approved by IT system and business owners, per the list above. Change Requestor M D M 1) Select a sample of changes to production environment. 2) Determine if the effectiveness of changes to production environment were validated by the change requestor. 3) Determine if for unsuccessful changes or changes that did not meet the requirements, that the changes were reverted or rolled-back. AES Corporation - Proprietary 7 of 9
8 OPERATIONS 8.D.1 - Objective: Backup and recovery procedures are implemented such that business critical systems and data can be recovered if needed. Objective Risk Statement(s): - Financial data loss may occur - Unauthorized access to sensitive or critical data may occur. - Data integrity may not be maintained. Activity Description Backup and Recovery 49 8.D.1.1 All systems are backed-up. Backup media must be retained according to the local or corporate data retention policy or any applicable legal requirements D.1.2 Scheduled backups jobs are monitored for failures; failures are resolved and remediated prior to the next full backup. Documentation of actions taken is retained D.1.3 A sample of backup media is periodically tested and at a minimum on a quarterly basis to ensure the viability of the data should restoration be required. If test is unsuccessful, remediation plan must be documented and implemented in a timely manner, reperform test if necessary D.1.4 All system backup media is stored in a separate secure location. Access to the stored backup media is restricted to only authorized personnel D.1.5 IT Disaster Recovery Plan must be tested periodically and at minimum on an annual basis. Results of the test must be communicated to the appropriate level of management. If test is unsuccessful, remediation plan must be documented and implemented in a timely manner, reperform test if necessary. 8.D.2 - Objective: Only authorized programs are executed and deviations from scheduled processing are identified and investigated, including controls over job scheduling, processing, error monitoring and system availability. Backup D P A 1) Obtain copies of backup policies and procedures. 2) Observe that backups are configured for the system. 3) Determine if the backups were retained according to policy. Backup M D A 1) Obtain copies of backup policies and procedures. 2) Observe that backups are monitored. 3) Determine if the appropriate action was taken for any failures. Backup Q D M 1) Select a sample of backup media. 2) Determine if the media was tested. 3) Determine if any issues were resolved. Backup M P M 1) Select a sample of backup media. 2) Determine if the media is stored is a separate and secure location. 3) Obtain a list of personnel with access to the media. 4) Determine if the access is appropriate. IT Operations Lead A P M 1) Obtain a copy of the IT disaster recovery plan. 2) Determine if the plan is tested annually, and if the results are communicated to the appropriate stakeholders. 3) Determined if remediation plans have been enacted for unsuccessful tests. Objective Risk Statement(s): - Financial data loss may occur - Unauthorized access to sensitive or critical data may occur. - Data integrity may not be maintained. Activity Description Job and Batch Scheduling 54 8.D.2.1 Access to create, modify and delete batch jobs within AES applications and batch management programs is restricted to only authorized users D.2.2 Critical scheduled jobs and batch activities are monitored for errors; errors are resolved in accordance with the system run book. 8.D.3 - Objective: Technology problems and / or incidents are properly recorded, responded to, resolved or investigated for proper resolution. X P A 1) Obtain a system generated listing of accounts with access to the job scheduler. 2) For a sample of accounts based on risk, determine if the user's access is commensurate with job responsibilities. 3) Determine if the user's access was approved by the level of management responsible for approving access. System W P M 1) Obtain copies of batch job policies and procedures. 2) Observe that batch jobs are monitored. 3) Determine if the appropriate action was taken for any errors. Objective Risk Statement(s): - Managing problems and incidents addresses how an organization identifies, documents and responds to events that fall outside of normal operations. Activity Description Incident Management 56 8.D.3.1 A technology service request, incident and problem management system is used to ensure that operational events that are not part of standard operations (incidents, problems and errors) are recorded, analyzed and resolved in a timely manner D.3.2 Technology service request, incidents and problems detected are addressed and responded to in a timely manner D.3.3 Service Level Objectives and Key Performance Indicators are defined to monitor critical IT services. Service Level Objectives and Key Performance Indicators are reviewed periodically and at a minimum on an annual basis by the appropriate level of management. Any found under-performing services are addressed in a timely manner. IT Service Desk Lead X P A 1) Determine if a technology service request, incident and problem management system is used to ensure that operational events that are not part of standard operations (incidents, problems and errors) are recorded, analyzed and resolved in a timely manner. IT Service Desk Lead X P M / A 1) Select a sample of service requests or incidents 2) Determine if the requests were responded to in a timely manner, according to corporate policy. IT Service Desk Lead A D M 1) Obtain and test evidence that service levels are being actively managed in accordance with service level agreements. AES Corporation - Proprietary 8 of 9
9 PROGRAM DEVELOPMENT 8.E.1 Objective: New applications, systems and infrastructure components are acquired or developed to effectively support business requirements and are appropriately tested and validated prior to being placed into production. Objective Risk Statement(s): - IT Projects, plans & budgets may not be in alignment with AES Business objectives, and may not be approved. - The IT Organization may not meet the business objectives causing potential lost revenue or business opportunities. Activity Description Acquire and Maintain Systems 59 8.E.1.1 Business owners participate in, and approve, the selection and design of business applications to ensure they meet business requirements. Approval of the development requirements for each new project must be documented by the IT management and business stakeholders prior to the initiation of a new project E.1.2 The IT Steering Committee periodically reviews significant and / or critical proposed and on-going IT projects to ensure alignment with AES' strategic business goals and requirements as well as the utilization of approved technologies. Project Manager X P M 1) Select a sample of projects from the current year. 2) Obtain a list of the appropriate project approvers. 3) Determine if the project was approved before the project was initiated 4) Determine if the project was reviewed to ensure that it was inline with business strategy. IT Leader Q P M 1) Select a sample of projects from the current year. 2) Determine if the project was approved by the Steering Committee. 3) Determine if the project was reviewed to ensure that it was inline with business strategy E.1.3 For system implementation and upgrade activities, a risk assessment should be performed to determine the extent of IT controls that are required, and the level of documentation appropriate; a review of the existing and planned system controls should be performed. Project Manager / Internal Audit X D M 1) Select a sample of financially significant projects deployed in the current year. 2) Determine if controls were considered in the design and deployment of the sampled system(s) 3) Obtain evidence that controls were tested prior to implementation E.1.4 Based on the risk to AES; perform independent pre/post-implementation reviews to verify that controls are operating effectively. Interfaces with other systems, data migration / data conversions, systems configuration, and segregation of duties for both end-users and administrators may be tested to confirm that the new implementation supports the existing IT controls environment. Results are documented and are reviewed by appropriate level of management. Remediation plans / management responses are documented for all identified control weaknesses E.1.5 Based on the implementation's risk to AES; test strategies are developed, documented and executed for critical systems being developed or acquired in accordance with the IT Program Development Document. Test strategies addresses at a minimum: system performance, end-user acceptance testing and data integrity such that deployed systems operate as intended E.1.6 System support and any required user documentation is created for all new developed or acquired business critical applications and systems. Documentation is communicated to IT support personnel and other relevant IT and business stakeholders. Internal Audit X D M 1) Determine if post-implementation reviews are performed on new systems and significant changes reported. 2) Examine post-implementation reviews over in-scope systems for reasonableness. Project Manager X D M / A 1) Select a sample of projects from the current year. 2) For the sampled projects, determine if the projects followed the documented project strategy and plan. 3) Determine if the project strategy addressed at a minimum system performance, and end-user acceptance testing and data integrity so that deployed systems operate as intended. Project Manager X P M 1) Select a sample of critical projects. 2) Determine if user reference and support manuals and systems documentation and operations documentation were prepared E.1.7 Appropriate end user training should be performed for new systems and upgrades. 1) Select a sample of critical projects. 2) Determine if training was performed for each selected project and if training was appropriate based on the complexity and scope of the project E.1.8 Prior to final go-live of any new critical systems or projects, approval for that go-live must be obtained and documented by both. appropriate IT management and the Business application owner (or business stakeholder) Project Manager X D M / A 1) Select a sample of projects from the current year. 2) Obtain a list of the appropriate project approvers. 3) Determine if the project was approved before the go live date. AES Corporation - Proprietary 9 of 9
County of Sutter. Management Letter. June 30, 2012
County of Sutter Management Letter June 30, 2012 County of Sutter Index Page Management Letter 3 Management Report Schedule of Current Year s 4 Schedule of Prior Auditor Comments 9 Prior Year Information
More informationASSESSMENT AND EVALUATION OF THE CITY OF PHILADELPHIA S INFORMATION TECHNOLOGY GENERAL CONTROLS FISCAL 2016
ASSESSMENT AND EVALUATION OF THE CITY OF PHILADELPHIA S INFORMATION TECHNOLOGY GENERAL CONTROLS FISCAL 2016 Charles J. Brennan Chief Information Officer Office of Innovation and Technology 1234 Market
More informationCHAPTER 5 INFORMATION TECHNOLOGY SERVICES CONTROLS
5-1 CHAPTER 5 INFORMATION TECHNOLOGY SERVICES CONTROLS INTRODUCTION In accordance with Statements on Auditing Standards Numbers 78 and 94, issued by the American Institute of Certified Public Accountants
More informationNo. Question Answer IT Qualification Statement 1 SITE CONTACT
SITE: Alfred Health Clinical Information System Summary of Key Questions in regards to Electronic Medical Records and Clinical Trials 1 SITE CONTACT 1.1 Name of Systems Administrator/ Security Contact/
More informationCEBOS CLOUD PROGRAM DOCUMENT
CEBOS CLOUD PROGRAM DOCUMENT This CEBOS Cloud Program Document establishes terms and conditions for Cloud Services ordered by Customer and provided by Vendor under an Order Document executed under a Cloud
More informationSOX 404 & IT Controls
SOX 404 & IT Controls IT Control Recommendations For Small and Mid-size companies by Ike Ugochuku, CIA, CISA TLK Enterprise 2006, www.tlkenterprise.com INTRODUCTION Small, medium, and large businesses
More informationLake Geauga Computer Association
Lake Geauga Computer Association Software Support SLA Statement of Intent The Information Technology Center LGCA and school district mutually agree that this Service Level Agreement (SLA) documents all
More informationSecurity Monitoring Service Description
Security Monitoring Service Description Contents Section 1: UnderdefenseSOC Security Monitoring Service Overview 3 Section 2: Key Components of the Service 4 Section 3: Onboarding Process 5 Section 4:
More informationCollaboration with Business Associates on Compliance
Collaboration with Business Associates on Compliance HCCA Compliance Institute April 19, 2016 Balancing risk management, compliance responsibility and business growth Responsibility of entities as they
More informationUNIVERSITY OF TOLEDO INTERNAL AUDIT DEPARTMENT MANAGE FIXED ASSETS
The following control objectives provide a basis for strengthening your control environment for the process of managing mergers and acquisitions. When you select an objective, you will access a list of
More informationSupplier Security Directives
Page 1 (8) Supplier Directives 1 Description This document (the Directives ) describes the security requirements applicable to Suppliers (as defined below) and other identified business partners to Telia
More informationElectronic I-9 Documentation Guardian Electronic I-9 and E-Verify Compliance with 8 CFR 274a.2
Electronic I-9 Documentation Guardian Electronic I-9 and E-Verify Compliance with 8 CFR 274a.2 Abstract This document may be provided to Immigration and Customs Enforcement (ICE) in connection with a Form
More informationSarbanes-Oxley Compliance Kit
Kit February 2018 This product is NOT FOR RESALE or REDISTRIBUTION in any physical or electronic format. The purchaser of this template has acquired the rights to use it for a SINGLE Disaster Recovery
More informationPREDICTIVE INTELLIGENCE SECURITY, PRIVACY, AND ARCHITECTURE
PREDICTIVE INTELLIGENCE SECURITY, PRIVACY, AND ARCHITECTURE Last Updated: May 6, 2016 Salesforce s Corporate Trust Commitment Salesforce is committed to achieving and maintaining the trust of our customers.
More informationPART II SCHEDULE. Scope of Services. Special Terms and Conditions. Virginia Railway Express
PART II SCHEDULE SECTION TITLE D E Scope of Services Special Terms and Conditions 10 SECTION D SCOPE OF SERVICES D.1 OVERVIEW A. PTC was mandated by Congress in the RSIA of 2008 for all railroads that
More informationPresentation for INCC LUMS 2008 May 2, 2008 Presented by Shahed Latif, KPMG LLP, Silicon Valley
MAINTAINING A SECURE GLOBAL ENTERPRISE : Challenges and Emerging Solutions Presentation for INCC LUMS 2008 May 2, 2008 Presented by Shahed Latif, KPMG LLP, Silicon Valley The 2008 Chief Information Security
More informationFLORIDA DEPARTMENT OF TRANSPORTATION
FLORIDA DEPARTMENT OF TRANSPORTATION 6-month Follow-up to the Office of the Auditor General Information Technology Operational Audit-Department of Transportation Electronic Estimate Disbursement System
More information2018 WTW General Industry Information Technology Compensation Survey Report - U.S.
FUN AID IT Development Designs, develops, modifies, adapts and implements short- and long-term solutions to information technology (IT) needs through new and existing applications, systems architecture,
More informationIBM Cloud Service Description: IBM Kenexa Skills Manager on Cloud
IBM Cloud Services Agreement IBM Cloud Service Description: IBM Kenexa Skills Manager on Cloud The following is the Service Description for your Order: 1. Cloud Service Description The following is the
More informationRetail Payment Systems Internal Control Questionnaire
Retail Payment Systems Internal Control Questionnaire Completed by: Date Completed: POLICIES AND PROCEDURES 1. Has the board of directors, consistent with its duties and responsibilities, adopted formal
More informationGeneral IT Controls Review of the Division of Technology. Fiscal 2008
General IT Controls Review of the Division of Technology Fiscal 2008 February 18, 2009 Mr. Allan R. Frank, Chief Information Officer City of Philadelphia Division of Technology 1234 Market Street, Suite
More informationCity of Markham. Report of the Auditor General Human Resources Information System ( HRIS ) Implementation Audit. Presented to:
City of Markham Report of the Auditor General Human Resources Information System ( HRIS ) Implementation Audit Presented to: General Committee of Council, City of Markham Date: June 18, 2018 AGENDA Background
More informationCREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 04/29/2016
CREDIT CARD MERCHANT PROCEDURES MANUAL Effective Date: 04/29/2016 Updated: April 29, 2016 TABLE OF CONTENTS Introduction... 1 Third-Party Vendors... 1 Merchant Account Set-up... 2 Personnel Requirements...
More informationACTION Agenda Item I ANNUAL AUDIT REPORT December 6, 2002
ACTION Agenda Item I-2 2001-02 ANNUAL AUDIT REPORT December 6, 2002 Recommendation That the KCTCS Board of Regents receive the financial audit results for the 2001-02 fiscal year. Rationale The resolution
More informationCorporate Background and Experience: Financial Soundness: Project Staffing and Organization
A motion by Kentucky, on behalf of the Certification Committee, to adopt changes to the Governing Board Rules, Appendix C, Criteria and Minimum Standards for CSP Certification: Appendix C (04/07/2015)
More informationAmerican Well Hosting Operations Guide for AmWell Customers. Version 7.0
American Well Hosting Operations Guide for AmWell Customers Version 7.0 October 31, 2016 Contents Introduction... 4 Scope and Purpose... 4 Document Change Control... 4 Description of Services... 5 Data
More informationPutnam Valley Central School District. Information Technology Internal Audit Report August 2017
Putnam Valley Central School District Information Technology Internal Audit Report August 2017 August 30, 2017 Audit Committee Putnam Valley Central School District 146 Peekskill Hollow Road Putnam Valley,
More informationPosition Description. Senior Systems Administrator. Purpose and Scope
Position Description Senior Systems Administrator Purpose and Scope The Senior Systems Administrator - is responsible for effective provisioning, installation, configuration, operation, and maintenance
More informationGeneral Government and Gainesville Regional Utilities Vendor Master File Audit
FINAL AUDIT REPORT A Report to the City Commission General Government and Gainesville Regional Utilities Vendor Master File Audit Mayor Lauren Poe Mayor Pro-Tem Adrian Hayes-Santos Commission Members David
More informationInfor Risk and Compliance for CDM Phase 2: Automate, integrate, manage, and report across your enterprise
Public Sector Infor Risk and Compliance for CDM Phase 2: Automate, integrate, manage, and report across your enterprise Now in its Phase 2 rollout, The Department of Homeland Security (DHS) and General
More informationUnderstanding Internal Controls Office of Internal Audit
Understanding Internal Controls Office of Internal Audit July 2015 Objectives for this manual Provide guidance to help management understand their responsibility to ensure that internal controls are established,
More informationSarbanes-Oxley: Company Case Study - Viacom Inc. IT General Controls - Sustaining Compliance Efforts. Anthony Noble VP, IT Internal Audit
Sarbanes-Oxley: A Focus on IT Controls Company Case Study - Viacom Inc. IT General Controls - Sustaining Compliance Efforts Anthony Noble VP, IT Internal Audit Today s Agenda Introduction Viacom Methodology
More informationE-CRB System specification
On behalf of Bi or Tri Borough CRB Partnerhip Appendix A E-CRB System specification July 2012 Requirement Scope Functional Requirements Validation of Application Data Processing of Applications User Administration
More informationHSCIC Audit of Data Sharing Activities:
Directorate / Programme Data Dissemination Services Project Data Sharing Audits Status Approved Director Terry Hill Version 1.0 Owner Rob Shaw Version issue date 20/04/2016 HSCIC Audit of Data Sharing
More informationKPMG LLP 2001 M Street, NW Washington, DC 20036
KPMG LLP 2001 M Street, NW Washington, DC 20036 The Members of the Board of Directors Washington Metropolitan Area Transit Authority: We have audited the financial statements of the Washington Metropolitan
More informationEnsuring Organizational & Enterprise Resiliency with Third Parties
Ensuring Organizational & Enterprise Resiliency with Third Parties Geno Pandolfi Tuesday, May 17, 2016 Room 7&8 (1:30-2:15 PM) Session Review Objectives Approaches to Third Party Risk Management Core Concepts
More informationChapter 5 Matters Arising from Our Tests of Controls
Matters Arising from Our Tests of Controls Contents Scope................................................................... 111 Provincial payment system (Oracle)...........................................
More informationEmployes Retirement System of the City of Milwaukee:
Employes Retirement System of the City of Milwaukee: Internal Audit Update December 21, 2017 1 Executive Summary Since the A&O Committee Internal Audit Update, provided in May 18, 2017, Experis has completed
More informationExternal Supplier Control Obligations. Information Security
External Supplier Control Obligations Information Security Version 8.0 March 2018 Control Area / Title Control Description Why this is important 1. Roles and Responsibilities The Supplier must define and
More informationInformation Technology Services Procedures
Page 1 of 17 Table of Contents 1 General Scope and Responsibilities... 2 2 Entities Affected by this Procedure... 2 3 Definitions... 2 4 Requirements... 3 4.1 Access Control Requirements... 3 4.2 Personnel
More informationUptime Maintenance and Support Services - Appendix. Dimension Data Australia Pty Limited. Uptime Support Services Agreement
Uptime Support Services Agreement Uptime Maintenance and Support Services - Appendix Dimension Data Australia Pty Limited 27 May 2013 Version 1-01 Appendix A. 1. Definitions and Interpretations 1.1 For
More informationISAE 3402 Type 2. Independent auditor s report on general IT controls regarding operating and hosting services for to
Deloitte Statsautoriseret Revisionspartnerselskab CVR no. 33 96 35 56 Weidekampsgade 6 P.O. Box 1600 0900 Copenhagen C Denmark Phone +45 36 10 20 30 Fax +45 36 10 20 40 www.deloitte.dk IT Relation A/S
More informationUtility Systems Access Rights Audit
Utility Systems Access Rights Audit Jed Johnson, CGAP Interim City Auditor Prepared By Melinda Milner, CISA, CISSP, CRISC Sr IT Auditor November 25, 2013 Report 201308 Table of Contents Authorization...
More informationREPORT 2014/115 INTERNAL AUDIT DIVISION. Audit of information and communications technology management at the United Nations Office at Geneva
INTERNAL AUDIT DIVISION REPORT 2014/115 Audit of information and communications technology management at the United Nations Office at Geneva Overall results relating to the effective and efficient management
More informationPOSITION DESCRIPTION. Primary Purpose of the Position
POSITION DESCRIPTION Position Title: Systems Support Analyst Location: Newcastle Primary Purpose of the Position The Systems Support Analyst is responsible for the day to day delivery and support of business
More informationINTERNAL AUDIT DIVISION
INTERNAL AUDIT DIVISION REPORT 2015/057 Audit of the Omgeo system in the Investment Management Division of the United Nations Joint Staff Pension Fund Overall results relating to the effective and efficient
More informationEnterprise Risk Management Matrix December 1, 2014 West Texas A&M University
Strategic s Enrollment: Student Recruitment and Retention Impact Likelihood High Medium 1. Invest in enrollment management activities to establish a comprehensive student recruitment and retention plan
More informationInternal Audit Report. Post Implementation Review PeopleSoft Accounts Payable TxDOT Internal Audit Division
Internal Audit Report Post Implementation Review PeopleSoft Accounts Payable TxDOT Internal Audit Division Objective To determine if the Oracle PeopleSoft Accounts Payable system is providing effective
More informationApplication Performance Management Advanced for Software as a Service
Application Delivery Management Application Performance Management Advanced for Software as a Service Micro Focus Application Performance Management (APM) Advanced for Software as a Service (SaaS) is an
More informationFlorida Department of Highway Safety and Motor Vehicles Office of Inspector General
Source of Audit: Auditor General Report Number: 2014-183 Report Title: Information Technology Operational Audit Finding No. 1: Data-Entry Procedures Department data-entry procedures to ensure that all
More informationIBM Infrastructure Security Services - Managed Security Information and Event Management (Managed SIEM)
IBM Infrastructure Security Services - Managed Security Information and Event Management (Managed SIEM) DK_INTC-8838-00 11-2011 Page 1 of 17 Table of Contents 1.Scope of Services...3 2.Definitions...3
More informationTHE CLOUD, RISKS AND INTERNAL CONTROLS. Presented By William Blend, CPA, CFE
THE CLOUD, RISKS AND INTERNAL CONTROLS Presented By William Blend, CPA, CFE AGENDA Cloud Basics Risks Related Cloud Use GOA on Service Level Agreements COSO ERM Internal Control Model 2 CLOUD BASICS Evolution
More informationADMINISTRATIVE RESPONSIBILITIES FOR UNIVERSITY AND COLLEGE ADMINISTRATORS, DEPARTMENT HEADS, AND DIRECTORS
ADMINISTRATIVE RESPONSIBILITIES FOR UNIVERSITY AND COLLEGE ADMINISTRATORS, DEPARTMENT HEADS, AND DIRECTORS Internal Controls & Your Role 1) Internal Accounting Controls - procedures that ensure compliance
More informationREQUEST FOR PROPOSALS: INFORMATION TECHNOLOGY SUPPORT SERVICES
REQUEST FOR PROPOSALS: INFORMATION TECHNOLOGY SUPPORT SERVICES Responses Due October 30, 2017 at 4:00 PM RFP 2017: INFORMATION TECHNOLOGY SERVICES PAGE 1 TABLE OF CONTENTS I. INTRODUCTION II. SUBMISSION
More informationInformation Technology Engineers Examination. Information Technology Service Manager Examination. (Level 4) Syllabus
Information Technology Engineers Examination Information Technology Service Manager Examination (Level 4) Syllabus Details of Knowledge and Skills Required for the Information Technology Engineers Examination
More informationIT Managed Services. Agenda
IT Managed Services Agenda Introduction IT Challenges Problems with Traditional Approaches What is Managed Services The Benefits of Managed Services How it Works Q & A 517.323.7500 1 IT Challenges No Structured
More informationOracle Tech Cloud GxP Position Paper December, 2016
Oracle Tech Cloud GxP Position Paper Page 1 of 29 Oracle Tech Cloud GxP Position Paper December, 2016 Prepared By: Subbu Viswanathan, Head of Solutions Reviewed By: David Blewitt, VP Cloud Compliance Oracle
More informationProposed Service Level Agreement For Medium SaaS Projects
Proposed Service Level Agreement For Medium SaaS Projects THIS ON-LINE SERVICES AGREEMENT (this Agreement ) shall commence on June 15, 2012, or upon execution of this Agreement, whichever date is later,
More informationCUSTOMER AND SUPPLIER ROLES AND RESPONSIBILITIES FOR 21 CFR 11 COMPLIANCE ASSESSMENT. 21 CFR Part 11 FAQ. (Frequently Asked Questions)
21 CFR Part 11 FAQ (Frequently Asked Questions) Customer and Supplier Roles and Responsibilities for Assessment of METTLER TOLEDO STARe Software Version 16.00, including: - 21 CFR 11 Compliance software
More informationExternal Supplier Control Obligations. Information Security
External Supplier Control Obligations Information Security Version 7.0 December 2016 Control Area / Title Control Description Why this is important Roles and Responsibilities The Supplier must define and
More informationSOLUTION BRIEF EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER
EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER ARRIVAL OF GDPR IN 2018 The European Union (EU) General Data Protection Regulation (GDPR), which takes effect in 2018, will bring changes
More informationAgency for State Technology Office of Inspector General
Agency for State Technology Office of Inspector General Eric M. Larson, State CIO/ Executive Director Tabitha A. McNulty Inspector General Six Month Follow up Response to Agency for State Technology, State
More informationDepartment of Labor and Workforce Development Division of Workplace Standards
New Jersey State Legislature Office of Legislative Services Office of the State Auditor Department of Labor and Workforce Development Division of Workplace Standards July 1, 2012 to March 31, 2016 Stephen
More informationGlobal Operational & Information Risk Management - Back to the Future - Michael Vincent Advisory Council Member Center for CIO Leadership
Global Operational & Information Risk Management - Back to the Future - Michael Vincent Advisory Council Member Center for CIO Leadership The challenge Lack of alignment between IT, LOBs and audit/regulatory
More informationAgenda Item. Issue under Consideration: Contract #12-037, Technology Assessment Master Agreement
Agenda Item Item: 6a Issue under Consideration: Contract #12-037, Technology Assessment Master Agreement Current Status: The County has an existing agreement with VC3, Incorporated to provide management
More informationCENTRAL FLORIDA EXPRESSWAY AUTHORITY
CENTRAL FLORIDA EXPRESSWAY AUTHORITY Prior Audit Recommendations Follow-Up August 31, 2017 Internal Audit, Risk, Business & Technology Consulting TABLE OF CONTENTS 3 Executive Summary 5 Status of Past
More informationBPO Asia In ormation Security Domains & Controls
f BPO Asia In ormation Security Security Standards & Best Practices Security for Human & Physical Resources Communications & Operations Management Access Control Information Systems Acquisition, Development
More informationThe definition of a deficiency is also set forth in the attached Appendix I.
Deloitte & Touche LLP 361 South Marine Corps Drive Tamuning, GU 96913-3911 USA September 22, 2015 Tel: (671)646-3884 Fax: (671)649-4932 www.deloitte.com Mr. David Paul General Manager Marshalls Energy
More informationExternal Supplier Control Obligations
External Supplier Control Obligations Technology Risk 1. Managing obsolescence Ensuring ongoing support arrangements The supplier must promptly advise Barclays of known changes in their capability to
More informationQuestionnaire. Identity Management Maturity Scan for SWITCHaai. Thomas Lenggenhager, SWITCH Thomas Siegenthaler & Daniela Roesti, CSI Consulting AG
Questionnaire Identity Management Maturity Scan for SWITCHaai Thomas Lenggenhager, SWITCH Thomas Siegenthaler & Daniela Roesti, CSI Consulting AG Version: V2.1 Created: 19. Aug. 2011 Last change: 13. Nov.
More information{Buffalo County} IT Managed Services REQUEST FOR PROPOSAL BUFFALO COUNTY
BUFFALO COUNTY IT Managed Services REQUEST FOR PROPOSAL ISSUED DATE: 8/1/2018 SUBMISSION DATE: SEPTEMBER 14, 2018 AT 4:00 P.M. CENTRAL STANDARD TIME RFP COORDINATOR: SONYA J. HANSEN ADMINISTRATIVE COORDINATOR
More informationSecurity overview. 2. Physical security
1. Collaborate on your projects in a secure environment Thousands of businesses, including Fortune 500 corporations, trust Wrike for managing their projects through collaboration in the cloud. Security
More informationEmergency Gateway Maintenance Plus Service Addendum. Version
Emergency Gateway Maintenance Plus Service Addendum Version 2017.07.22 1. Introduction This document is a supplement to the Service Guide for Technical Support, License, and Maintenance and Implementation
More informationC11/12 - Intro to IT Auditing For the Non-IT Auditor Steve Shofner
C11/12 - Intro to IT Auditing For the Non-IT Auditor Steve Shofner Intro To IT Auditing for Non-IT Auditors Part 1 (Session C11) Presented by: Steve Shofner, CISA Stephen.R.Shofner@kp.org Part 1 (Session
More informationHP Agile Manager. Key Benefits. At a glance. Project Management. Key Software Capabilities. Administration. Enterprise SaaS.
Datasheet HP Agile Manager At a glance HP Agile Manager ( AGM ) is an on-demand Software-as-a-Service (SaaS) solution for Agile Project Management. HP Agile Manager software acts as the communication hub
More informationSuccess in Joint Ventures: Sustained Compliance and Audit Oversight
Success in Joint Ventures: Sustained Compliance and Audit Oversight Gene DeLaddy, CIA Senior Vice President, Chief Compliance & Privacy Officer, Chief Audit Executive Dave Pyland, CPA Director, Internal
More informationWRITTEN ANSWERS TO QUESTIONS RECEIVED
WRITTEN ANSWERS TO QUESTIONS RECEIVED All written questions are reproduced in the same format as submitted by the Respondent. IT denotes technical question and response DP denotes purchasing or admin question
More informationCustomer Care Services Catalogue 2018
Services Catalogue 2018 Index _ Disclaimer... 3 _ Introduction... 4 _ Amadeus Self-Services... 5 _ Amadeus Support Services... 6 Help Desk Services... 6 Services... 7 Migration Services... 8 Consulting
More informationBudget, Finance and Audit Committee April 15, 2013
Budget, Finance and Audit Committee April 15, 2013 Overview In September 2012, an audit of selected landfill financial controls was released by the City Auditor reporting eleven findings with recommendations
More informationSummary of TL 9000 R4.0 Requirements Beyond ISO 9001:2000
This summary identifies the additional TL 9000 Release 4.0 requirements beyond those stated in ISO 9001:2000. See the TL 9000 R4.0 Handbook for the actual TL 9000 R4.0 requirements. ISO 9001:2000 section
More informationCarahsoft End-User Computing Solutions Services
Carahsoft End-User Computing Solutions Services Service Description Horizon View Managed Services Gold Package Managed Services Packages Options # of Desktops to be Managed Desktop Type Duration of Services
More informationNTT DATA Service Description
NTT DATA Service Description NTT DATA Managed Services for Microsoft Azure Site Introduction NTT DATA is pleased to provide NTT DATA Managed Services for Microsoft Azure Site (the Service(s) ) in accordance
More informationIT Relation A/S. ISAE 3402 Type 2
Deloitte Statsautoriseret Revisionspartnerselskab CVR no. 33 96 35 56 Weidekampsgade 6 P.O. Box 1600 0900 Copenhagen C Denmark Phone +45 36 10 20 30 Fax +45 36 10 20 40 www.deloitte.dk IT Relation A/S
More informationControl Self Assessment Questionnaire
Control Self Assessment Questionnaire (31 Questions) 1. The department documents the monthly reconciliation of its Lynx finance accounts and reports. A yes answer indicates that the department has written
More informationITSM Process/Change Management
ITSM Process/Change Management Process Documentation Revision Date: December 13, 2017 Version Number: 2.0 Document Ownership Document Owner Maury Collins Revision History ITSM Role, Department Service
More informationTECHNOLOGY POLICY SUMMARY FOR THIRD PARTY SUPPLIERS
TECHNOLOGY POLICY SUMMARY FOR THIRD PARTY SUPPLIERS RATIONALE Group Policy Rationale This Policy has been designed to assist in managing the risk that Lloyds Banking Group (the Group) fails to simultaneously
More informationQUEENS LIBRARY AUDIT COMMITTEE THURSDAY, SEPTEMBER 8, Central Library Merrick Boulevard Jamaica, NY AGENDA
QUEENS LIBRARY AUDIT COMMITTEE THURSDAY, SEPTEMBER 8, 2016 Central Library 89-11 Merrick Boulevard Jamaica, NY 11432 AGENDA 6:00 PM AUDIT COMMITTEE REGULAR MEETING Hon. Robert T. Groh Conference Room I.
More informationThe Corporation of the City of Windsor Manage Changes to Information Systems
www.pwc.com Final The Corporation of the City of Windsor Manage Changes to Information Systems Final Internal Audit Report 8 July 2015 Distribution List For action Harry Turnbull, Executive Director of
More informationERP IMPLEMENTATION RISK
ERP IMPLEMENTATION RISK Kari Sklenka-Gordon, Director at RSM National ERP Risk Advisory Leader March 2017 2015 2016 RSM US LLP. All Rights Reserved. Speaker Kari Sklenka-Gordon National RSM ERP Risk Advisory
More informationyour resume to Initial screening of candidates to occur no later than May 1, Position open until filled.
Title: Status: Reports to: Compensation: Benefits: To apply: Information Systems Manager Exempt, Full-time President Competitive salary based on experience Health insurance, dental insurance, vision insurance,
More informationReport on controls over Devon Funds Management Limited s investment management services. For the period from 1 January 2015 to 31 December 2015
Report on controls over Devon Funds Management Limited s investment management services For the period from 1 January 2015 to 31 December 2015 30 th March 2016 Appserv Limited s Assertion We have reviewed
More informationUNIVERSITY OF TOLEDO INTERNAL AUDIT BILL THE CUSTOMER
The following control objectives provide a basis for strengthening your control environment for the process of billing the customer. When you select an objective, you will access a list of the associated
More informationSt. Charles County Auditor's Office
St. Charles County Auditor's Office 201 N. Second Street Room 526 St. Charles, MO 63301 (636) 949-7455 Fax (636) 949-7467 To Honorable County Council Members October 11, 2011 Honorable Steve Ehlmann, County
More informationIT Plan Instructions for FY18-FY19
IT Plan Instructions for FY18-FY19 Introduction and General Instructions The information technology plan for FY18-FY19 is web-enabled. You can navigate to the various sections of your agency s plan by
More informationIBM Emptoris Services Procurement on Cloud
Service Description IBM Emptoris Services Procurement on Cloud This Service Description describes the Cloud Service IBM provides to Client. Client means the company and its authorized users and recipients
More informationExecutive Summary THE OFFICE OF THE INTERNAL AUDITOR. Internal Audit Update
1 Page THE OFFICE OF THE INTERNAL AUDITOR The Office of Internal Audit focuses its attention on areas where it can contribute the most by working with the organization to reduce risk and increase operational
More informationEX0-114_Wins_Exam. Number: Passing Score: 800 Time Limit: 120 min File Version: 1.0
EX0-114_Wins_Exam Number: 000-000 Passing Score: 800 Time Limit: 120 min File Version: 1.0 http://www.gratisexam.com/ 20000 IT Service Management Foundation Bridge based on ISO/IEC Total Questions: 78
More informationINFORMATION TECHNOLOGY SERVICES
INFORMATION TECHNOLOGY SERVICES Information Technology Services: Service Level Agreement (SLA) SLA Number: 100 Related Service Level and Operating Level Agreements: Comments: SLA Revision History Date
More informationAlameda Countywide. Care Council. Manual
Alameda Countywide InHOUSE Alameda Countywide InHOUSE Alameda Countywide InHOUSE Alameda Countywide InHOUSE Alameda Countywide InHOUSE Alameda Countywide InHOUSE Alameda Countywide InHOUSE Alameda Countywide
More informationRisk assessment checklist - Plan and organize
Check Yes or No or N/A (where not applicable). Where a No is indicated, some action may be required to rectify the situation. Cross-references (e.g., See FN 1.01) point to the relevant policy in the First
More information