- 30. A B C D
When leaving the terminal for more than a short while, the user shall log off the terminal or set it in a standby position, where a new log-on is required.
YES _____ NO _____ N/A _____
__________________________________________________________
__________________________________________________________
- 31. - - C D
As a support to the users the following functions should be installed where possible. After a certain time (20-30 minutes) with no work at the terminal, it should automatically be set in a standby position or be shut off. Further use of the terminal should require a new sign-on procedure.
YES _____ NO _____ N/A _____
__________________________________________________________
__________________________________________________________
- F Are inactive user profiles (users that have not logged in for at least 90 or 120 days) automatically revoked? _____ After how long? _____
- G Is the system log or other report reviewed for security violations or other potential problems with the system? _____ If so, describe the review procedures, including the frequency of review, who does the review, and if the review is documented.
__________________________________________________________
__________________________________________________________
- H Are programmers restricted from accessing company data on an update or control basis? _________________________________
- 34. - B C D
For file transfer data communication, available password functions shall be used.
YES _____ NO _____ N/A _____
__________________________________________________________
__________________________________________________________
- 35. A B C D
For interactive data communication, the security measures items 20-32 shall be included.
YES _____ NO _____ N/A _____
__________________________________________________________
__________________________________________________________
- 36. A B C D
The use of encryption should be decided jointly by the personnel responsible for security at the sending and the receiving companies. Their feasibility study shall include sensitivity of data, risks, and costs. Before deciding for encryption, corporate approval must be obtained.
YES _____ NO _____ N/A _____
__________________________________________________________
__________________________________________________________
- 37. A B C D
For synchronous communication, the identities shall be unique.
YES _____ NO _____ N/A _____
__________________________________________________________
__________________________________________________________
- 38. A B C D
Dial-up asynchronous communication, X21 and X25, must be specially secured against unauthorized access. The following methods may be used.
- 1 Call back, so that the final connection is always established from the mini computer or the mainframe (not from a PC).
- 2 Dynamic passwords, changed each time the communication is used (this requires some special hardware).
- 3 Encryption. Before deciding for encryption, corporate approval must be obtained.
Direct access to data via a simple password as the only security measure is not suitable.
YES _____ NO _____ N/A _____
__________________________________________________________
__________________________________________________________
IT ADMINISTRATION
- 40. - B C D
Investigations have shown that the risk of loss is as great in the area of swindle and sabotage as it is for fire and water damage. In light of these facts, the background of those who will be employed in sensitive positions should be carefully checked.
YES _____ NO _____ N/A _____
__________________________________________________________
__________________________________________________________
- 41. A B C D
The employment agreement for IT personnel should include a paragraph stating Programs made in working hours or otherwise made for the employer are the property of the employer and cannot be sold or given away without written permission from the employer.
YES _____ NO _____ N/A _____
__________________________________________________________
__________________________________________________________
- I Are you expecting any significant changes to hardware or software that have not been covered by other questions? ____
Please describe below:
__________________________________________________________
__________________________________________________________
- J Do you have a written standards manual, or other document describing the normal practices for departmental employees to follow? _____ If so, please attach a copy (if small) or else just the table of contents.
K Are continuing education seminars a required part of a continuing employment requirement for data processing personnel? _____ If so, what is the annual minimum? _____ And, is this information recorded anywhere?
__________________________________________________________
__________________________________________________________
- L Is departmental chargeback (or other allocation of data processing costs) done? ________ If so, what is the basis for the charges? And, is there a separate calculation for usage and development?
__________________________________________________________
__________________________________________________________
- N Do you have a written short- or long-range plan for data processing activities? ____ If so, please attach a copy.
- O Is there a management steering committee that oversees data processing projects and priorities? _____ If so, how often does the committee meet? _________________
AUTOMATED APPLICATION SYSTEMS
- 48. - B C D
Before taking a new system or a new version into production, a thorough test shall be carried out. This also applies to program alterations. Both the EDP function and users should participate in system testing.
YES _____ NO _____ N/A _____
__________________________________________________________
- 49. - - C D
A test system or a test company should be installed, so that tests and education will not affect the production environment.
YES _____ NO _____ N/A _____
__________________________________________________________
__________________________________________________________
- 50. A B C D
Methods shall be applied to ensure that all input allowed and nothing else is entered into the system. Such methods are automatic checking of batch sums or serial numbers and a split input by two clerks, and a comparison between the two input files.
YES _____ NO _____ N/A _____
__________________________________________________________
__________________________________________________________
- 51. A B C D
Quality checks of data entry shall be used, such as check digits, format, and reasonableness checks, combination controls, matching checks, and hash and batch totals.
YES _____ NO _____ N/A _____
__________________________________________________________
__________________________________________________________