Coso volume iii guidance on monitoring application techniques

Page 68

| | | | | COSO Guidance on Monitoring

64

IT Control Type

Risk(s) Addressed

Data Redundancy

• Data Integrity • Information Processing

Control Description Technology and processing controls, including data mirroring and disk or tape backups, designed to ensure that data is not lost due to operational or processing failures

June 2008

Information Used in Monitoring • Reports from backup tools, confirming that all relevant data files and programs are backed up • Comparisons of mirrored data, showing equivalence thereof (usually performed automatically as part of the system’s mirroring process) • Results of periodic data recovery tests

Implementation of IT Controls Monitoring

6. IT controls typically are monitored through a combination of ongoing monitoring and separate evaluations. Many IT departments have specific processes in place that, as an output from those processes, can provide management with information about the effectiveness of certain controls. To the extent that those processes work effectively, management may be able to reduce or streamline the monitoring work performed through separate evaluations. Some of these processes provide “direct” information about control effectiveness; others provide only “indirect” information at a much higher level or on a composite (rather than specific-control) basis.

Monitoring Procedure Access Recertification

Information Type

Controls Addressed

Direct

• Limited Access to Application Program Source Code • Application Security • Data Security & Change Control • Limited Access to Production • Job Scheduling & Management

Description: Security access recertification is a process through which, at a given point in time, the existing access rights to an IT resource (e.g., an application program or an infrastructure component) are provided to the person responsible for that resource. The responsible party compares the existing access information to his or her expectations and identifies potential exceptions, which are investigated and addressed, as required. Because this process occurs outside the normal process for adding and changing user access rights, it can serve as a method of monitoring the effectiveness of the security administration process (whereby

Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.