Universitas Gunadarma Staff Blog
Members and ISACA Certification holders shall:
? Support the implementation of, and encourage compliance with, appropriate standards, procedures and controls for information systems.
? Perform their duties with due diligence and professional care, in accordance with professional standards and best practices.
? Serve in the interest of stakeholders in a lawful and honest manner, while maintaining high standards of conduct and character, and not engage in acts discreditable to the profession.
? Maintain the privacy and confidentiality of information obtained in the course of their duties unless disclosure is required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties.
? Maintain competency in their respective fields and agree to undertake only those activities, which they can reasonably expect to complete with professional competence.
? Inform appropriate parties of the results of work performed; revealing all significant facts known to them.
? Support the professional education of stakeholders in enhancing their understanding of information systems security and control.
RELATIONSHIP OF STANDARDS TO GUIDELINES AND PROCEDURES
IS Auditing Standards are mandatory requirements for certification holders’ reports on the audit and its findings. IS Auditing Guidelines and Procedures are detailed guidance on how to follow those standards. The IS Auditing Guidelines are guidance an IS Auditor will normally follow with the understanding that there may be situations where the auditor will not follow that guidance. In this case, it will be the IS Auditor’s responsibility to justify the way in which the work is done. The procedure examples show the steps performed by an IS Auditor and are more informative than IS Auditing Guidelines. The examples are constructed to follow the IS Auditing Standards and the IS Auditing Guidelines and provide information on following the IS Auditing Standards. To some extent, they also establish best practices for procedures to be followed.
ISACA Code of Ethics and All table could be found here
The audit program is designed to address the primary risks of virtually all computing systems. Therefore, the objective statement and steps in the program are general by design. Obviously, computing systems can have many different applications running on them, each with its own unique set of controls. However, the controls surrounding all computing systems are very similar. The IS controls in the audit program have been grouped into four general categories:
TESTS OF ENVIRONMENTAL CONTROLS
Step 1. Assess the adequacy and effectiveness of the organization’s IS security policy. In addition, assess whether the control requirements specified in the organization’s IS security standards adequately protect the information assets of the organization. At a minimum, the standards should specify the following controls and require them to
be applicable to all information systems:
a. The maiden password should be changed after the system is installed.
b. There is a minimum password length of eight or more characters.
c. Passwords require a combination of alpha and numeric characters.
d. The password is masked on the screen as it is entered.
e. The password file is encrypted so nobody can read it.
f. There is a password expiration period of 60 days or less.
g. Three or fewer unsuccessful sign-on attempts are allowed, then the user ID is suspended.
h. User sessions are terminated after a specified period of inactivity (e.g., five minutes or less).
i. Concurrent sign-on sessions are not allowed.
j. Procedures are in place to remove user IDs of terminated users in a timely manner.
k. Users are trained not to share or divulge their passwords with other users, post them in their workstations, store them in eletronic files, or perform any other act that could divulge theirpasswords.
l. Unsuccessful sign-on attempts and other logical security-related events (e.g., adding and deleting users, resetting passwords, restarting the system) are logged by the system, and the log is reviewed regularly by system security staff.
m. Fully developed and tested backup and recovery procedures exist to help ensure uninterrupted business resumption in the event of a full or partial disaster.
n. New information systems are required to be designed to enable the aforementioned controls to be implemented by system security administrators. New systems include those developed in house, those purchased from vendors, and third-party processor systems. In the case of software vendors and third-party processors,the above control requirements should be specified as requirements in the contract.
Step 2. For service organization applications, examine the most recent report in the policies and procedures placed in operation at the vendor’s data processing site as prepared by its external auditors. In the United States, the format and testing requirements are dictated by Statement on Auditing Standards 70 (SAS 70), issued by the American Institute of Certified Public Accountants.
Step 3. If the system was purchased from and supported by a vendor, assess the financial stability of the system vendor using the most recent audited financial statements prepared by the vendor’s external auditors.
Step 4. Examine the vendor software license agreement and any agreements for ongoing maintenance and support to ensure that they are current, address service needs, and do not contain or omit any wording that could be detrimental to your organization.
TESTS OF PHYSICAL SECURITY CONTROLS
Step 5. Assess the adequacy of physical security over the computer system hardware and storage media.
Step 6. Determine whether an adequately trained backup system security administrator has been designated.
Step 7. Assess the adequacy and effectiveness of the written business resumption plan, including the results of mock disaster tests that have been performed.
Step 8. Assess the adequacy of insurance coverage over the hardware, operating system, application software, and data.
TESTS OF LOGICAL SECURITY CONTROLS
Step 9. Determine whether the maiden password for the system has been changed and whether controls exist to change it on a periodic basis in conformity with the computing system security policy, standards, or guidelines identified in Step 1.
Step 10. Observe the system security administrator sign on and print a list of current system users and their access capabilities. Alternatively, if you can obtain appropriate system access, you can obtain the list of users independently.
Step 11. Document and assess the reasonableness of the default system security parameter settings. The settings should conform to the organization’s computing system security policy, standards, or guidelines tested in Step 1. (Be alert to the fact that in some systems, individual user parameter settings override the default system security
Step 12. Test the functionality of the logical security controls of the system (e.g., password masking, minimum password length, password expiration, user ID suspended after successive invalid sign-on attempts, log-on times allowed, and session time-outs).
Step 13. Determine whether the file containing user passwords is encrypted and cannot be viewed by anyone, including the system security administrator.
Step 14. Determine whether sensitive data, including passwords, are adequately
encrypted throughout their life cycles, including during storage, transmission through any internal or external network or telecommunications devices, and duplication on any backup media.
Step 15. Assess the adequacy of procedures to review the log of system security-related events (e.g., successive invalid sign-on attempts, system restarts, changes to user access capabilities and user parameter settings).
Step 16. Assess the adequacy of remote access controls (e.g., virtual private networks [VPNs], token devices [CRYPTOCard, SecurID, etc.], automatic dial-back, secure sockets layer [SSL]).
TESTS OF INFORMATION SYSTEMS OPERATING CONTROLS
Step 17. Determine whether duties are adequately segregated in the operating
areas supporting the information system (e.g., transactions should be authorized only by the originating department, programmers should not have the capability to execute production programs, procedures should be adequately documented, etc.).
Step 18. Determine whether there have been any significant software problems with the system. Assess the adequacy, timeliness, and documentation of resolution efforts.
Step 19. Assess the adequacy of controls that help ensure that IS operations are functioning in an efficient and effective manner to support the strategic objectives and business operations of the organization (e.g., system operators should be monitoring CPU processing and storage capacity utilization throughout each day to ensure that adequate reserve capacities exist at all times).
more details read here (pdf)
Panduan Terpadu dalam “Analysis dan Design Modeling” menggunakan UML pada studi kasus “On_line Shoping”
(Maciaszek, L.A. (2001): Requirements Analysis and System Design, Developing Information System with UML, Addison Wesley)