During the Sarbanes-Oxley audit of a financial services company, you note the following issues. Categorize each of them into the area to which they belong: IT change management, logical access to data, and IT operations.
a. Five database administrators have access to the SA (system administrator) account with complete access to the database.
b. Several changes to database structures did not have appropriate approval by management.
c. Some users continued to have access to the database even after having been terminated.
d. Databases are backed up on a regular schedule, using an automated system.
The Solution to the Problem
Sarbanes-Oxley audit of a financial services company
The key areas of IT examined during a Sarbanes-Oxley audit are described below.
- Change management in IT
- Logical access to data
- Operations in IT
Change management in IT
It is the method of monitoring the changes made within the IT infrastructures used in the organization. If any changes are made in the operating system and databases, permission from the change control board is required. It controls the authorized changes occurring within the IT systems.
Logical access to data
It deals with the method of preventing data from unauthorized access. It specifically assigns access to the individual user within the organization. There are two forms of security policies: personnel control and physical access control.
Operations in IT
It deals with the day-to-day operations performed in the infrastructure, databases, and applications used in the organization. It monitors and performs the system's daily or regular activities like database backup process, checking for data availability, etc.
Categorize the given issues
a) The given issue deals with the logical part of the system used in the organization. Hence it comes under the key area of logical access to data. But it also has to do with who has access to production systems and data. Hence it might come under the IT change management.
b) The given issue deals with the changes made in the database structure. Hence, it comes under IT change management.
c) The given issue deals with access to the system's database, and it takes the logical part of the system. Hence, it comes under the key area of logical access to data.
d) The given issue deals with the system's database backup process, and it performs the system's IT operation. Hence, it comes under the key area of IT operations.
See Also: MDM Chapter 11 Problem and Excercise 10
إرسال تعليق