SOX.2.0.14:: Difference between revisions

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search
No edit summary
No edit summary
 
Line 2: Line 2:
<br>
<br>
::'''1. Risk: Business requirements are not met or third parties have inappropriate access to business data stores and business processes.'''<br>
::'''1. Risk: Business requirements are not met or third parties have inappropriate access to business data stores and business processes.'''<br>
:::a. [[SOX.2.0.12:|'''SOX.2.0.12''']] Selection of vendors for outsourced services is performed in accordance with the organization’s vendor management policy.<br>
:::a. [[SOX.2.0.14:|'''SOX.2.0.14''']] Third-party service contracts address the risks, security controls and procedures for information systems and networks in the contract between the parties.<br>
<br>
<br>
</blockquote>
</blockquote>
Line 8: Line 8:
'''Testing Procedures'''
'''Testing Procedures'''
<blockquote style="background: white; border: 1px solid black; padding: 1em;">
<blockquote style="background: white; border: 1px solid black; padding: 1em;">
Obtain the organization’s vendor management policy and discuss with those responsible for third-party service management if they follow such standards. Obtain and test evidence that the selection of vendors for outsourced services is performed in accordance with the organization’s vendor management policy. .<br>
Select a sample of third-party service contracts and determine if they include controls to support security, availability and processing integrity in accordance with the company’s policies and procedures. .<br>
<br>
<br>
</blockquote>
</blockquote>
Line 26: Line 26:
'''Control Stewards Process Narrative'''
'''Control Stewards Process Narrative'''
<blockquote style="background: white; border: 1px solid black; padding: 1em;">
<blockquote style="background: white; border: 1px solid black; padding: 1em;">
<p><font color=#008000>The AIX operating system prevents the addition of duplicate Ids. Furthermore, the regular review of administrator IDs listed above serves as a backstop for this control.</font></p>
<p><font color=#008000>Insert Narrative here.</font></p>


<br>
<br>
Line 41: Line 41:
'''Control Status and Auditors Commentary'''
'''Control Status and Auditors Commentary'''
<blockquote style="background: white; border: 1px solid black; padding: 1em;">
<blockquote style="background: white; border: 1px solid black; padding: 1em;">
<p><font color=#008000>The control is effective. It is technically impossible to establish identical user accounts on a UNIX operating system.</font></p>
<p><font color=#008000>The control is effective. </font></p>
<br>
<br>
[[Image:greenlock.jpg]]<br>
[[Image:greenlock.jpg]]<br>

Latest revision as of 18:21, 14 June 2006


1. Risk: Business requirements are not met or third parties have inappropriate access to business data stores and business processes.
a. SOX.2.0.14 Third-party service contracts address the risks, security controls and procedures for information systems and networks in the contract between the parties.



Testing Procedures

Select a sample of third-party service contracts and determine if they include controls to support security, availability and processing integrity in accordance with the company’s policies and procedures. .


Testing Frequency

Quarterly validation of all systems within scope.

Evidence Archive Location

Insert hyperlink or location of evidence archive.

Control Stewards Process Narrative

Insert Narrative here.


Control Steward – Steve Somebody

Process Illustration

Replace this test by inserting a process diagram, flowchart or other visual representation to illustrate the process narrative as necessary. Include a brief description of the process illustration.

Control Status and Auditors Commentary

The control is effective.


File:Greenlock.jpg

Status is acceptable.

Control Exception Commentary

Status is acceptable.

Remediation Plan

Remediation is not required at this time.