1 Risk: Unauthorized access attempts go unnoticed.
- a. SOX.184.108.40.206 OS/400 authentication attempts are limited to attempts specified by the Corporate IT standard.
2. Risk: Unauthorized execution of privileged system commands may disrupt business processes, and corrupt critical business data stores.
- a. SOX.220.127.116.11 OS/400 administrator level access is password restricted and is limited to the designated OS/400 administrators only.
3. Risk: Unscheduled access by support vendors may result in business process interruptions or loss of production data.
- a. SOX.18.104.22.168 OS/400 access by support vendors is granted through a service request.
4. Risk: Unauthorized users might exploit privileged access to critical business processes and data.
- a. SOX.22.214.171.124 New OS/400 user accounts are pre-expired.
5. Risk: Unauthorized users might exploit unauthorized access to critical business processes and data.
- a. SOX.126.96.36.199 The OS/400 operating application has a session "Time-Out" function enabled.
6. Risk: Unnecessary disruptions to business processes or data corruption may occur.
- a. SOX.188.8.131.52 OS/400 system changes are scheduled during maintenance windows.
7. Risk: Unidentifiable users may compromise critical business processes and data.
- a. SOX.184.108.40.206 The OS/400 system will not allow identical administrator IDs.
8. Risk: Insufficient security standards may allow unauthorized access to production systems and business data stores.
- a. SOX.220.127.116.11 OS/400 passwords are required for each system ID. Password configuration is based on Corporate IT standards.
9. Risk: Inappropriate administrative actions are executed without accountability measures.
- a. SOX.18.104.22.168 The OS/400 operating system application has forensic auditing enabled to enable the monitoring of administrative access related events.
10. Risk: Reactive security monitoring results in data compromise and financial loss or liability.
- a. SOX.22.214.171.124 OS/400 administration team is notified when security violations occur.
11. Risk: Forensic evidence is not available to resolve malfunctions, compromises or other security compromising incidents.
- a. SOX.126.96.36.199 The OS/400 administration team reviews security logs looking for security violations.
12. Risk: Unauthorized access is granted to business systems or data stores.
- a. SOX.188.8.131.52 OS/400 access is granted through a service request.
13. Risk: Unauthorized access may occur resulting in business data compromise or destruction.
- a. SOX.184.108.40.206 Terminations are sent through the HR process. An Email is sent from HR with all terminations to the OS/400 system administrators.
14. Risk: Insufficient security standards may allow unauthorized access to production systems and business data stores.
- a. SOX.220.127.116.11 OS/400 password expiration is set to Corporate IT standards.
15. Risk: Security violations or data corruption may occur with no forensic evidence available to resolve the situation.
- a. SOX.18.104.22.168 OS/400 rules and logging is applied to everyone equally including system administrators.
16. Risk: Unauthorized access (i.e. terminated employees) may occur.
- a. SOX.22.214.171.124 A semi-annual revalidation of OS/400 administrator accounts are performed by security administration.
17. Risk: Unauthorized execution of privileged system commands may disrupt business processes, and corrupt critical business data stores.
- a. SOX.126.96.36.199 QSECOFR level access is password restricted. This password is know only by system the administrators.
18. Risk: Controls provide reasonable assurance that the systems are appropriately tested and validated prior to being placed into production processes, and associated controls operate as intended and support financial reporting requirements.
- a. SOX.5.4 A testing strategy is developed and followed for all significant changes in applications and infrastructure technology, which addresses unit, system, integration and user-acceptance-level testing so that deployed systems operate as intended.
--Mdpeters 14:10, 28 August 2006 (EDT)