3.2.1.1: Routers: Difference between revisions
No edit summary |
No edit summary |
||
Line 87: | Line 87: | ||
:a. [[SOX.2.1.1.15:|'''SOX.2.1.1.15''']] ROUTER authentication attempts are limited to attempts specified by the Corporate IT standard.<br> | :a. [[SOX.2.1.1.15:|'''SOX.2.1.1.15''']] ROUTER authentication attempts are limited to attempts specified by the Corporate IT standard.<br> | ||
</blockquote> | </blockquote> | ||
<blockquote style="background: #C8CDC7; padding: 1em; margin-left: 0.5em;"> | |||
[[Image:Key-control.jpg]]<br> | |||
<br> | |||
'''16. Risk: Controls provide reasonable assurance that the systems are appropriately tested and validated prior to being placed into production processes, and associated controls operate as intended and support financial reporting requirements.'''<br> | |||
:a. [[SOX.5.4:|'''SOX.5.4''']] A testing strategy is developed and followed for all significant changes in applications and infrastructure technology, which addresses unit, system, integration and user-acceptance-level testing so that deployed systems operate as intended.<br> | |||
</blockquote> | |||
--[[User:Mdpeters|Mdpeters]] 09:40, 23 June 2006 (EDT) |
Latest revision as of 13:40, 23 June 2006
1. Risk: Unauthorized users might exploit unauthorized access to critical business processes and data.
- a. SOX.2.1.1.1 The ROUTER operating application has a session "Time-Out" function enabled.
2. Risk: Unnecessary disruptions to business processes or data corruption may occur.
- a. SOX.2.1.1.2 ROUTER rule changes are scheduled during maintenance windows.
3. Risk: Unidentifiable users may compromise critical business processes and data.
- a. SOX.2.1.1.3 The ROUTER system will not allow identical administrator IDs.
4. Risk: Insufficient security standards may allow unauthorized access to production systems and business data stores.
- a. SOX.2.1.1.4 ROUTER passwords are required for each administrator ID. Password configuration is based on Corporate IT standards.
5. Risk: Inappropriate administrative actions are executed without accountability measures.
- a. SOX.2.1.1.5 The ROUTER operating application has the functionality to monitor administrator access related events.
6. Risk: Reactive security monitoring results in data compromise and financial loss or liability.
- a. SOX.2.1.1.6 ROUTER administration team is notified when security violations occur.
7. Risk: Forensic evidence is not available to resolve malfunctions, compromises or other security compromising incidents.
- a. SOX.2.1.1.7 The ROUTER administration team reviews security logs looking for security violations.
8. Risk: Unauthorized access is granted to business systems or data stores.
- a. SOX.2.1.1.8 ROUTER access is granted through a service request.
9. Risk: Unauthorized access may occur resulting in business data compromise or destruction.
- a. SOX.2.1.1.9 Terminations are sent through the HR process. An Email is sent from HR with all terminations to the ROUTER system administrators.
10. Risk: Insufficient security standards may allow unauthorized access to production systems and business data stores.
- a. SOX.2.1.1.10 ROUTER password expiration is set to Corporate IT standards.
11. Risk: Security violations or data corruption may occur with no forensic evidence available to resolve the situation.
- a. SOX.2.1.1.11 ROUTER rules and logging is applied to everyone equally including system administrators.
12. Risk: Unauthorized access (i.e. terminated employees) may occur.
- a. SOX.2.1.1.12 A semi-annual revalidation of ROUTER administrator accounts are performed by security administration.
13. Risk: Unauthorized execution of privileged system commands may disrupt business processes, and corrupt critical business data stores.
- a. SOX.2.1.1.13 ROUTER administrator level access is password restricted and is limited to the designated ROUTER administrators only.
14. Risk: Unscheduled access by support vendors may result in business process interruptions or loss of production data.
- a. SOX.2.1.1.14 ROUTER access by support vendors is granted through a service request.
15. Risk: Unauthorized access attempts go unnoticed.
- a. SOX.2.1.1.15 ROUTER authentication attempts are limited to attempts specified by the Corporate IT standard.
16. Risk: Controls provide reasonable assurance that the systems are appropriately tested and validated prior to being placed into production processes, and associated controls operate as intended and support financial reporting requirements.
- a. SOX.5.4 A testing strategy is developed and followed for all significant changes in applications and infrastructure technology, which addresses unit, system, integration and user-acceptance-level testing so that deployed systems operate as intended.
--Mdpeters 09:40, 23 June 2006 (EDT)