template

IT Security Plan Template

Download Free IT Security Plan Template

A. APPLICATION/SYSTEM IDENTIFICATION

A.1 Application/System Category
- Indicate whether the application/system is a Major Application or a General Support System.
- A Major Application is "an application that requires special attention to security due to the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application."
- A General Support System is an "interconnected set of information resources under the same direct management control which shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people."

Download Free Business Impact Analysis Questionnaire Template

Business Impact Analysis
A Business Impact Analysis (BIA) is the foundation for all business continuity planning programs. It identifies the financial and operational impacts that may result from a disruption of business operations. Disruptions can take many forms,

Download Free Sarbanes Oxley (SOX) 404 IT General Control Test Plan

- Obtain a copy of the organization’s SDLC methodology.

- Review the methodology to determine that it addresses security, availability and processing integrity requirements.

- Review the organization’s SDLC methodology to determine if it considers both the development and acquisition of new systems and major changes to existing systems.

- Review the methodology to determine if it addresses application controls.

The following guidelines provide a basic checklist for reviewing data models and entity descriptions.
Basic review of model
- Ensure each entity has a singular noun as a name.
- Ensure the diagram is well laid out. Topology guidelines include:
- relationship lines as direct as possible, but retaining clarity;
- master entities higher in the diagram than their details (so avoiding upward pointing relationship arrows);
- minimum crossing lines.
- The diagram should have no visible storage connotations, e.g.:
- indexes and arrays should not be shown unless logically significant;
- business relationships as opposed to physical access paths should be defined.

Review of business implications
Relationship review

Download Free SAS 70 (Statement on Auditing Standards no 70) Report Content Templates

The SAS 70 type ii report includes three required sections: the auditor’s opinion, the service organization’s description of controls, and tests of operating system effectiveness and the results of those tests. The report may also include an additional section with other information provided by the service organization (provided for informational purposes but not subject to audit).

Section I: Service Auditor’s Opinion
The following is example SAS 70 Type II audit opinion text for a scenario in which the service organization achieves the specified control objectives. The opinion would be modified to suit the circumstances of the specific audit.

Section II: Description of Controls
The service organization’s description of controls typically includes narrative descriptions of the following components:
• Overview of operations
• Description of services provided by the service organization that are covered in the report
• Control objectives and supporting control activities
• Control environment, risk assessment processes, and monitoring processes
• Information systems and communication processes
• User control considerations (i.e., controls that users of the service organization should have in place to address their responsibilities with regard to controls over the service)