- Managing configuration controls on systems and applications
- Managing system and application security – including authentication, user provisioning, system accreditation
- Managing business continuity plans and measures
User Account Management
Management should establish procedures to ensure timely action relating to requesting, establishing, issuing, suspending and closing of user accounts. A formal approval procedure outlining the data or system owner granting the access privileges should be included. The security of third-party access should be defined contractually and address administration and non-disclosure requirements. Outsourcing arrangements should address the risks, security controls and procedures for information systems and networks in the contract between the parties.
5.5 Management Review of User Accounts
Management should have a control process in place to review and confirm access rights periodically. Periodic comparison of resources with recorded accountability should be made to help reduce the risk of errors, fraud, misuse or unauthorized alteration.
Procedures should be in place to ensure that only authorized and identifiable configuration items are recorded in inventory upon acquisition. These procedures should also provide for the authorized disposal and consequential sale of configuration items. Moreover, procedures should be in place to keep track of changes to the configuration (e.g., new item, status change from development to prototype). Logging and control should be an integrated part of the configuration recording system including reviews of changed records.
Configuration Management Procedures
Configuration management procedures should be established to ensure that critical components of the organization's IT resources have been appropriately identified and are maintained. There should be an integrated process whereby current and future processing demands are measured and provide input to the IT resource acquisitions process.
Step 1: Understanding compliance -- Financial and technical standards
Step 2: Scope of compliance
Step 3: Establishing an IT Control Framework
Step 4: Detailed objectives and policies
Step 5: Measuring compliance
Step 6: Managing and tracking compliance
Step 7: The changing nature of compliance
This was first published in February 2006