Deprovisioning

Attributes to test
(a) Access privileges for the terminated user are no longer active in the system. Such access was removed,
deleted, or disabled in a timely manner (based on the effective date of the termination).

Note 1: If a common key or field can be used to compare the termination listing to the listing of users, teams
may consider performing a 100% test of all terminated users.

Note 2: Where tools (such as Tivoli Identity Management or others) are utilized to automatically remove
access upon termination, teams may consider testing the termination control as an automated control.
 Deprovisioning
Things to consider

The removal or modification of access for terminated/transferred personnel is dependent upon the notification of the
employee event (either manual or automated).

(1) Obtain an understanding of the notification process used by HR to notify Security Administrators of a termination or
transfer.
(2) If the notification process is automated, test the automated notification process as an automated control and evaluate
relevant GITCs over the automated control.
(3) If a manual notification process, identify and test the controls over the manual notification to check for timely removal
of user access.
 Privileged access
Test Attributes

Obtain an access list of users who have privileged-level access. For each account identified, test the following attributes:
• Access privileges are authorized and appropriate for user’s assigned duties based on inquiries with management (indicate
the individual validating access).
• Access privileges are authorized and appropriate for user’s assigned duties based on inspection of their job function
(include reference to corroborating source, such as an organizational chart).
• Generic accounts require access based on business need and access to the accounts is appropriately restricted and
controlled.
 Privileged access
Things to consider

1. When testing generic accounts, identify the purpose of the account and determine if there is a business need to require
such access. If there is interactive access to the account, test if the account password is appropriately restricted. For any
users not already tested in attributes A-B, test the appropriateness of their access. If the passwords are controlled through
a password vault or other mechanism, test the applicable controls to ensure account passwords are secured.

2. Privileged level access for the application may include the ability to modify security roles/profiles, assign access to users,
modify report logic for system reports, and modify system configurations..
System Change control
Common types of changes
System Change control
Common types of changes
 System Change control
Test attributes

Obtain a system generated list of changes for the audit period. Based on the risk associated with
the control and frequency of changes, make a selection of changes and test the following
attributes:

• Change was tested (system, UAT) prior to moving into production and appears appropriate
based on the nature of the change;
• Change was approved by appropriate management;
• Segregation of duties was maintained in the change process.
 System Change control
Things to consider

Teams may alternatively use a ticketing system as the source of population of changes, which may include
other types of changes beyond patches. In such instances, make a selection of changes from the application
and validate that they appear on the ticketing system listing accurately and completely. Additionally,
applications changes may be tested in conjunction with other technologies as part of a common controls
approach, if applicable at the entity.

Consider and evaluate segregation of duties (SOD) in the change management process. When performing
test procedure #2 above, obtain an understanding of each user's job function (based on inspection of
corroborating source, such as an organizational chart) and ascertain if the user's job function is appropriate
(e.g., not a developer). Additionally, perform one of the additional test procedures listed below.
 Backup controls
Types of backups

Full backup
As the name suggests, this refers to the process of copying everything that is considered important and that must not be
lost. This type of backup is the first copy and generally the most reliable copy, as it can normally be made without any need
for additional tools.

Incremental backup
This process requires much more care to be taken over the different phases of the backup, as it involves making copies of
the files by taking into account the changes made in them since the previous backup. For example, imagine you have done a
full backup. Once you’ve finished, you decide that going forward you will do incremental backups, and you then create two
new files. The incremental backup will detect that all the files in the full backup remain the same, and will only make backup
copies of the two newly created files. As such, the incremental backup saves time and space, as there will always be fewer
files to be backed up than if you were to do a full backup. We recommend that you do not try to employ this type of backup
strategy using manual means.

Differential backup
A differential backup has the same basic structure as an incremental backup—in other words, it involves making copies only
of new files or of files that underwent some kind of change. However, with this backup model, all the files created since the
original full backup will always be copied again. For the same reasons as with incremental backups, we recommend that
differential backups are also not carried out manually.
 Backup controls
Attributes to test

Backup Schedule: Obtain evidence of the automated backup schedule for each relevant database or location containing
relevant financial data. Inspect the configuration to test that backups of financial data are scheduled to occur according to
policy.

Backup Monitoring - Option 1: (This option applies when we make a sample of days and test the backup status for those
days)
• Backup ran successfully without errors;
• In case of error, an alert was generated, appropriate personnel notified, and corrective action taken to resolve the error.

Backup Monitoring - Option 2: (This option applies when we make a sample of tickets/cases from a population of backup
errors/abends)
• Corrective action was taken to resolve the error.
 Backup controls
Things to consider

• How backups are monitored for successful execution and the method in which failures are escalated to take corrective
action;
• What group is responsible for scheduling and monitoring backup jobs;
• How often management reviews backups and exceptions;
• What criteria is used that triggers further investigation, as well as what documentation exists to evidence follow-up activity
on backup jobs that meet such criteria;