Information Technology Reference
In-Depth Information
If the enterprise does not have procedures for granting or denying access to systems, what
would result is that users may have rights they do not need and may perform unauthorised
activities on the systems.
g) On what basis do you grant user rights on an enterprise business system?
The basis for granting user rights is normally job roles or job description. Additional rights
might be granted to users if they have extra responsibilities. If enterprises have a different
method, they may find serious challenges as users might be given rights they do not de-
serve.
Evidence of what user rights have been allocated to various users can be checked by ex-
tracting user rights data from operating and application systems. The IS auditor may review
the data by comparing user rights extracted from the systems with job descriptions.
h) What procedures has the enterprise put in place to ensure that data is recovered
in the event of a disaster?
IT management might point to having implemented a disaster recovery plan as evidence
that they can recover data in the event of a disaster. Enterprises should not only demonstrate
that they have a plan but should also demonstrate that the plan that has been implemented
is effective. Regular testing of the plan is recommended to ensure that data or systems can
be recovered in the event of an incident.
The disaster recovery plan should reflect the requirements of the information security
policy of the enterprise, and the IS auditor should review the document in order to ensure
that the plan is consistent with the policy. There are various standards which can be used to
implement a disaster recovery plan, such as ISO 24762.
Evidence the IS auditor could collect to verify the response from management includes the
disaster recovery plan, test results of the plan, and the information security policy.
i) How has the enterprise ensured that the data centre is protected from unauthor-
ised access?
Access to the data centre should only be for authorised persons. Authorised persons are
those who have been formally authorised by management. Other persons can be authorised
on a need basis, such as maintenance staff.
There are many ways of controlling access to the data centre, such as using lock and key,
physical security, number locking systems, and biometric systems. Each system has its own
merits and demerits.
Where the enterprise does not control access to the data centre, the IS auditor should report
to management as this is a high-risk situation. The enterprise may not have proper records
on persons accessing the data centre if there are no controls to accessing the data centre.
Search WWH ::
Custom Search