PO2.4:

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search

PO 2.4 Integrity Management

Control Objective:

Define and implement procedures to ensure integrity and consistency of all data stored in electronic form, such as databases, data warehouses and data archives.

Applicability:

Sarbanes-Oxley
HIPAA
GLBA
PCI
FISMA
NIST SP 800-66
Ditscap
Control Exception
User Defined


Risk Association Control Activities:

1. Risk: Financial systems fail due to a lack of operational procedures being executed.
a. SOX.2.0.2: Controls provide reasonable assurance that IT daily operation procedures are executed.


2. Risk: Data may be lost, altered, or corrupted.
a. SOX 4.1.1: Databases should be appropriately administered to ensure that their integrity is maintained.


b. SOX.4.1.2: Database activity is monitored sufficiently to ensure that the database integrity is maintained.


c. SOX.4.1.3: Database change controls should restrict unauthorized manipulation to preserve production data structures.


3. Risk: Unauthorized personnel gain access to applications because the database passwords do not meet corporate standards.
a. SOX.4.1.4: Passwords are required for each user. Password configuration is based on Corporate IT standards.


4. Risk: Unauthorized personnel have excessive access to company data stores.
a. SOX.4.1.5: The database application has the functionality to log user activity and security related events which are reviewed daily by the security administrators.


b. SOX.4.1.6: Database access is granted through a service request and approved by management.


c. SOX.4.1.7: Semi-annual revalidations of user group membership and user accounts are performed by security administration.


d. SOX.4.1.8: DBA, DBO, and System Administrator level access is limited to the designated database administrators only.


Implementation Guide:

Process Narrative
Insert a description of the process narration that is applicable to the existing control statement this narrative refers to.

Process Illustration
Insert a process diagram, flowchart or other visual representation here to illustrate the process narrative.

File:Someimage.jpg

Control Commentary
Insert a description of the control that is applicable to the existing control statement this commentary refers to.

Control Exception Commentary
Insert a description of the control exception that is applicable to the existing control statement this commentary refers to.

Evidence Archive Location
Insert Evidence Description Here.

Control Status and Auditors Commentary
Describe the condition of the applicable control and its effectiveness. Set the color icon to a redlock.jpg, yellowlock.jpg or greenlock.jpg.

File:Redlock.jpg

Remediation Plan
Insert remediation plan, applicability, or any information that indicates what needs to be done.

Supplemental Information:
ITIL Applications Management.

ITIL The Application Management Lifecycle.

ITIL 5.2 Requirements.


ISO 17799 5.2 Information classification.

ISO 17799 4.1 Information security infrastructure.

ISO 17799 5.1 Accountability for assets.

ISO 17799 8.6 Media handling and security.

ISO 17799 8.7 Exchanges of information and software.

ISO 17799 9.1 Business requirement for access control.

ISO 17799 9.2 User access management.

ISO 17799 9.3 User responsibilities.

ISO 17799 9.4 Network access control.

ISO 17799 9.5 Operating System Access Control.

Implementation guidance
Insert guidance in this section if it helps to elaborate upon the subject matter. Examples of evidence that would help guide the end user is desirable.