Information Technology Reference
In-Depth Information
The IS auditor should look for information on how effective data protection policies are in
the enterprise by looking at statistics on violations and also by interviewing management
in order to find out how effective the practices are. The IS auditor should obtain a copy of
the policy as evidence of existence of the policy.
One other related and important requirement is the personal privacy legislation which has
also been enacted by many countries. Enterprises are required to ensure that personal in-
formation is used only for purposes it was collected unless they have specific authorisation
from their customers.
f) Has the database been security hardened?
The installation of a database system is normally a default installation with many services
enabled even if they are not required. A number of security features are also disabled by
default. In order to harden the security of a database, the administrators are required to dis-
able any services and ports not required by the enterprise and enable required security fea-
tures in order to enhance database security.
The IS auditor will be required to review the security implementation of the database and
any supporting documentation. The review will include conducting a walk-through on the
database system in order to verify all security settings.
Application System Integration Controls
Most enterprises do conduct business with many suppliers and customers, and due to the
automation of many business processes, they find themselves in a situation where they
need to integrate their business IT systems in order to enhance efficiency and processing
of transactions.
Integration of IT systems require implementing of controls which will ensure that data go-
ing in and out of one system to the other is protected, valid, and consistent. Integration of
IT systems running on different IT infrastructure can be very challenging to implement.
a) How does the ERP system connect to external application systems?
Most application systems implemented in enterprises are required to connect and send out-
put or receive input data from external systems operated by suppliers or customers. In this
case, the integration could be enabled by middleware software which sits between the two
systems.
Both enterprises should have documented integration controls ranging from access con-
trols, VPN connections, connection protocols, and data transfer procedures.
Search WWH ::
Custom Search