document

IT Security Plan Template

Download Free IT Security Plan Template

A. APPLICATION/SYSTEM IDENTIFICATION

A.1 Application/System Category
- Indicate whether the application/system is a Major Application or a General Support System.
- A Major Application is "an application that requires special attention to security due to the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application."
- A General Support System is an "interconnected set of information resources under the same direct management control which shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people."

Download Free Sarbanes Oxley (SOX) 404 IT General Control Test Plan

- Obtain a copy of the organization’s SDLC methodology.

- Review the methodology to determine that it addresses security, availability and processing integrity requirements.

- Review the organization’s SDLC methodology to determine if it considers both the development and acquisition of new systems and major changes to existing systems.

- Review the methodology to determine if it addresses application controls.

The following guidelines provide a basic checklist for reviewing data models and entity descriptions.
Basic review of model
- Ensure each entity has a singular noun as a name.
- Ensure the diagram is well laid out. Topology guidelines include:
- relationship lines as direct as possible, but retaining clarity;
- master entities higher in the diagram than their details (so avoiding upward pointing relationship arrows);
- minimum crossing lines.
- The diagram should have no visible storage connotations, e.g.:
- indexes and arrays should not be shown unless logically significant;
- business relationships as opposed to physical access paths should be defined.

Review of business implications
Relationship review

Download Free Risk Register Template for IT & Project Management

1. BASIC RISK INFORMATION
Risk Number: Provide a unique identifier for risk

Risk Description / Risk Event Statement: A risk event statement states (i) what might happen in the future and (ii) its possible impact on the project. "Weather" is not a risk event statement. "Bad weather may delay the project" is a risk event statement.

Responsible: Name or title of team member responsible for risk

Date Reported

PCI DSS 1.1 Audit Work Program Templates Free Download

Control 1 - All cardholder-entered PINs are processed in equipment that conforms to the requirements for Tamper-Resistant Security Modules (TRSMs). PINs must never appear in the clear outside of a TRSM

Control 2 - All cardholder PINs processed online are encrypted and decrypted using an approved cryptographic technique that provides a level of security compliant with international and industry standards.