Generic Data Center and Network Operations Workplan

Version History v2 - June, 2017
Control# Change
Workpaper Template Added in fields from master workpaper template to incorporate IT Risk assessment
considerations
Entire Framework Added in control activity and procedure specific notes/considerations, including
identifying which controls and procedures are typically not relevant for lower risk
environments
DCNO.05, DCNO.24 & DCNO.17 Added clarifying notes at top of each control related to relevance of the control.
DCNO.06 Removed "Privileged-level access to network / firewall devices is authorized and
appropriately restricted."
Version History v1 - June, 2016

Control# Change
Initial Version n/a
IT Testing Area
Generic Data Center & Network Operations
System Level IT Risk Assessment Classification
Control Performer(s), Title and Date Obtained Evaluation of Competence and Authority
If RAIT Risk Classification differs Interim Operating Final Operating

RAIT Risk Risk Associated with
Risk Arising from IT (RAIT) from System Level IT Risk Control ID Control Description Test Approach Design Conclusion Effectiveness Interim Risk Conclusion Effectiveness Final Risk Conclusion Deficiencies Noted?
Classification Control
Classification, document Rationale Conclusion Conclusion
Financial data cannot be recovered or accessed in Financial data is backed up on a regular basis according to an
a timely manner when there is a loss of data. DCNO.17 established schedule and frequency.
Backup processes are monitored for successful execution, and
DCNO.18 failures are escalated and corrected to ensure data is usable and
available for retrieval and restoration if needed.
Individuals gain inappropriate access to equipment Physical security mechanisms are in place to appropriately restrict
in the data center and exploit such access to access to data centers and computer rooms to personnel who require
circumvent logical access controls and gain DCNO.19 access to perform their assigned duties.
inappropriate access to systems.
Note: Consider the IT risk assessment for your Physical access to the data center is reviewed by management on a
engagement to determine the applicability of periodic basis to ascertain that access is granted only to authorized
this control. In many IT environments, the and appropriate individuals.
related risk arising from IT is remote and would
not require further testing of physical security DCNO.20
controls.
The network does not adequately prevent Access is authenticated through unique user IDs and passwords or
unauthorized users from gaining inappropriate other methods as a mechanism for validating that users are
access to information systems. authorized to gain access to the system. Password parameters meet
DCNO.05 company and/or professional policies and standards (e.g., password
Note: The nature and extent of network minimum length and complexity, expiration, account lockout).
controls that are relevant for the audit will vary
depending on the entities industry and
technology environment. Consider the IT risk
assessment for your engagement to determine Network is architected to segment web-facing applications from the
the controls that are necessary to address the DCNO.21
internal network, where ICFR relevant applications are accessed.
related risk arising from IT.
On a periodic basis, vulnerability scans of the network perimeter are
DCNO.22 performed by the Network management team who also investigate
potential vulnerabilities.
On a periodic basis, alerts are generated to provide notification of

DCNO.23 threats identified by the intrusion detection systems. These threats
are investigated by the Network management team.
Controls are implemented to restrict Virtual Private Network (VPN)

DCNO.24
access to authorized and appropriate users.
Inappropriate changes are made to system

Network / firewall changes are appropriately reviewed and approved
software (e.g., operating system, network, change- DCNO.10
before being implemented into the production environment.
management software, access-control software).
Only authorized users have access to update the batch jobs

DCNO.15 (including interface jobs) in the job scheduling software.
Production systems, programs, and/or jobs result
in inaccurate, incomplete, or unauthorized Critical systems, programs, and/or jobs are monitored, and
processing of data. DCNO.16 processing errors are corrected to ensure successful completion.
Summary
Control Activity DCNO.05
Access is authenticated through unique user IDs and passwords or other methods as a mechanism for
validating that users are authorized to gain access to the system. Password parameters meet company and/or
Description industry standards (e.g., password minimum length and complexity, expiration, account lockout).
Note: In most environments, authentication to the network is performed through Active Directory. If Active Directory is the network authentication
mechanism in use for the entity, refer to control AD.05 in the Windows / Active Directory workplan.
Evaluation of Design Procedures Evaluation of Design Testing Results

Inquire with management to understand the authentication controls (e.g. password minimum length, complexity, expiration and account lockout) relevant to
connecting to network devices for administration. Specifically, consider obtaining an understanding of the following attributes, as appropriate:
• Policies, procedures, standards, and guidance regarding authentication controls and password requirements;
• Where does authentication reside (e.g is authentication integrated with the firewall operating system or network device management tool such as TACACS+);
• Whether the settings are enforced for all users (system-wide setting) or if the settings vary per user or user type;
• Design of the authentication controls for the application for all types of accounts defined on the system (e.g., end-user, system accounts, administrators);
• The specific settings that are enforced (length, complexity, password change, and account lockout) and the consistency of those settings with industry
standards;
• Whether default accounts have had their default passwords changed
• The process followed by Management to confirm that default accounts not supported by a valid business case are deleted/disabled and the process followed by
Management to limit password knowledge to active default accounts. As part of this process, also understand Management's process for managing default
account passwords and the process for periodically changing these password & how the changed password is communicated to only those with a supported
business case.
Inspect evidence to corroborate the design of the control, such as evidence that settings are enforced for an individual user or system-wide.
Evidence used to corroborate the design of the control

Design Factor 1: Appropriateness of the Document considerations of the appropriateness of the purpose of the control and correlation to the IT risk
Purpose of the Control and its Correlation to the identified.
Risk
Design Factor 2: Competence and Authority of Control Owner(s) - Document considerations of the appropriateness of authority and competence of the process Refer to the Summary worksheet for the evaluation of the competence and authority for individuals or groups
the Person(s) Performing the Control owner(s) to perform the control, including consideration of segregation of duties (as applicable) performing the control.
Design Factor 3: Frequency and Consistency Frequency of Control Operation

with Which the Control is Performed
Design Factor 4: Level of Aggregation and Document considerations of the appropriateness of the levels of aggregation and/or predictability given the risk
Predictability addressed
Design Factor 5: Criteria for Investigation and Document considerations of the appropriateness of the criteria used for investigation (i.e., threshold) and the
Process for Follow-up process for follow-up
Evaluation of Design Conclusion
RAIT Risk Classification 0

Risk Associated with the Control
DCNO.05 Page 3 of 55
Basis for the conclusion on the risk
associated with the control
Test Approach
Dependency on Other Control(s) or Is the control dependent upon other controls or information?
Information
Include a description of the IUC and identify the controls that address the accuracy and completeness of the
IUC, where the IUC is tested and the conclusions reached as a result of that testing. Consider source data,
parameters and report logic.
Information used as Audit Evidence Is the information used as audit evidence to test the control?
Include a description of the IPE and details regarding how it was generated (i.e., who provided the IPE and the
date it was generated). Describe procedures performed to address completeness and accuracy. Consider
source data, parameters and report logic.
Recommended Tools to obtain data N/A

Tools used to obtain data
Interim Operating Effectiveness Testing (This includes a test of implementation)

Identify the Population & Time Period of
Coverage
Number & Description of Selections (Sample
Size based on RAIT and RAWC)
Test Procedure Number Operating Effectiveness Test Procedure (Including implementation) Operating Effectiveness Testing Results (including Implementation)
1 Obtain evidence of authentication and security configurations to evaluate if they are configured consistent with
the control design. Consider the following attributes when performing testing:
• Password length;
• Password complexity (i.e., contain a combination of letters, numbers, or special characters);
• Passwords change interval (e.g., every 30-90 days);
• Password history is enabled to prevent re-use of passwords;
• Failed login lockout.
2 For any default accounts, test that the default password has been modified.
3 For any privileged-level shared, generic, service, and/or vendor accounts that may not follow the automated
password configuration, test the manual controls to enforce password settings (e.g. password vaulting, periodic
password change etc)
Interim Operating Effectiveness Conclusion
Roll-Forward (RF)Testing
RF Testing Approach
Test Procedure Number Roll-Forward Test Procedure Roll-Forward Testing Results
RF Test Procedure 1 Inquire with the process owners and/or control owners on the following:
- The status of deficiencies identified at interim, including new or modified controls to respond to the deficiencies
- Significant changes to control performers, existing processes, or IT systems supporting the control.
RF Test Procedure 2
RF IPE Procedures Identify and describe test procedures performed over IPE at RF.
RF Mitigating Procedures If applicable, perform mitigating procedures for any deviations/deficiencies identified during RF testing or for
open interim deficiencies.
Final Operating Effectiveness Conclusion
Evaluation of Deficiencies
Deficiencies noted:
Deficiency Description (if applicable)
Reference to evaluation of deficiencies over

internal control (e.g., form 2342(S))
Network / firewall changes are appropriately tested reviewed and approved before being moved implemented
Description into the production environment.

Inquire with management to understand the controls related to testing and approving network changes. Specifically, consider obtaining an understanding of the
following attributes, as appropriate:
• Policies, procedures, standards and guidance related to network changes

• Process adopted by Management to test changes
• Timeliness of the process for reviewing, approving, and deploying a change
• Individuals responsible for managing the change process (including approval) and those that are responsible for migrating changes to production.
• Organizational structure of the individuals(s) taking responsibility for the network change processes.
Inspect evidence to corroborate the design of the control, such as evidence of that a change applied during the period was tested and approved by management.

Risk


Test Approach
Information

Coverage
1 Obtain a system generated list of changes for the audit period, determine appropriate sample size, and make a
selection of changes. For each of the selected changes, test for the following attributes:
• The change was reviewed and/or backout plans were created prior to implementation.
• The change was approved by management before being installed on the server.
Note: Please note that network changes typically follow the same change control process as operating system
changes. If that is the case at your client, you may be able to test network and operating system changes in one
sample as a common control. Please follow the common control guidance in the Internal Control Guide.
RF Testing Approach
RF Test Procedure 2
Deficiencies noted:

Control Activity
Description
Note: Consider if the the entity is using the application for scheduling relevant jobs when making a determination as to whether this control is
applicable. Furthermore, this control is not typically tested for lower risk environments (such as when there are a small number of financial relate
jobs, and the relevant interfaces are already addressed by direct controls).
Evaluation of Design Procedures

Inquire with management to understand the controls related to access to job scheduling. Specifically, consider obtaining an understanding of the following
attributes, as appropriate:
• Policies, procedures, standards, and guidance for the use of the job scheduler;
• Extent to which the job scheduler is used;
• Procedures for updating master schedule;
• Who should have access to the job scheduler.
Inspect evidence to corroborate the design of the control, such as reviewing a user who has access to the job scheduling software and determing the access
commensurate with job responsibilities.
Evidence to Corroborate Design:

Design Factor 1: Appropriateness of the
Purpose of the Control and its Correlation to the
Risk
Design Factor 2: Competence and Authority of
the Person(s) Performing the Control
Design Factor 3: Frequency and Consistency

Design Factor 4: Level of Aggregation and

Predictability
Design Factor 5: Criteria for Investigation and
Process for Follow-up
RAIT Risk Classification

Test Approach
Dependency on Other Control(s) or

Information
Information used as Audit Evidence
Recommended Tools to obtain data


Coverage
Test Procedure Number

1
RF Testing Approach
RF Test Procedure 1
RF Test Procedure 2
RF IPE Procedures
RF Mitigating Procedures
Deficiencies noted:
DCNO.15
Only authorized users have access to update the batch jobs (including interface jobs) in the job scheduling
software.
is using the application for scheduling relevant jobs when making a determination as to whether this control is
control is not typically tested for lower risk environments (such as when there are a small number of financial related
s are already addressed by direct controls).
es
erstand the controls related to access to job scheduling. Specifically, consider obtaining an understanding of the following
, and guidance for the use of the job scheduler;

er is used;
schedule;
job scheduler.
he design of the control, such as reviewing a user who has access to the job scheduling software and determing the access is
bilities.
Document considerations of the appropriateness of the purpose of the control and correlation to the IT risk
identified.
Control Owner(s) - Document considerations of the appropriateness of authority and competence of the process
owner(s) to perform the control, including consideration of segregation of duties (as applicable)
Frequency of Control Operation
Document considerations of the appropriateness of the levels of aggregation and/or predictability given the risk
addressed
Document considerations of the appropriateness of the criteria used for investigation (i.e., threshold) and the
process for follow-up
on
Is the control dependent upon other controls or information?
Is the information used as audit evidence to test the control?
s Testing (This includes a test of implementation)

Operating Effectiveness Test Procedure (including Implementation)
Obtain an access list of users who have access to add/modify/remove jobs in the job scheduling software. For
each user with access, test the following attribute:
• Access privileges are authorized and appropriate for user’s assigned duties based on inquiries with
management (indicate the individual validating access)
• Access privileges are authorized and appropriate for user’s assigned duties based on inspection of their job
function (include reference to corroborating source, such as an organizational chart)
• Generic accounts require access based on business need and access to the accounts is appropriately
restricted and controlled.
Note: When testing generic accounts, identify the purpose of the account and determine if there is a business
need to require such access. If there is interactive access to the account, test if the account password is
appropriately restricted. For any users not already tested in attributes A-B, test the appropriateness of their
access. If the passwords are controlled through a password vault or other mechanism, test the applicable
controls to ensure account passwords are secured.
s Conclusion
Roll-Forward Test Procedure

Inquire with the process owners and/or control owners on the following:
Identify and describe test procedures performed over IPE at RF.

If applicable, perform mitigating procedures for any deviations/deficiencies identified during RF testing or for
Conclusion
Evaluation of Design Testing Results
Refer to the Summary worksheet for the evaluation of the competence and authority for individuals or groups
performing the control.
Operating Effectiveness Testing Results (including Implementation)
Roll-Forward Testing Results

Control Activity
Description
Note: Consider if the the entity is using the application for scheduling relevant jobs when making a determination as to whether this control is
applicable. Furthermore, this control is not typically tested for lower risk environments (such as when there are a small number of financial relate
jobs, and the relevant interfaces are already addressed by direct controls).

Inquire with management to understand how critical systems, programs, and/or jobs are monitored, and processing errors are corrected to ensure successfu
completion. Specifically, consider obtaining an understanding of the following attributes, as appropriate:
• Policies, standards, and guidance for job scheduling and monitoring;
• Restart and resolution procedures for failed jobs (including expectations for timeliness of resolution);
• The specific evidence retained to demostrate resolution for failed jobs;
• Job scheduling and monitoring tools that are used;
• Frequency of review and criteria defined for investigation.
Inspect evidence to corroborate the design of the control, such as evidence of resolution of a recent job failure.
Evidence to Corroborate Design:

Risk


Predictability

Test Approach

Information

Coverage

1
RF Testing Approach
RF Test Procedure 1
RF Test Procedure 2
RF IPE Procedures

Deficiencies noted:
DCNO.16
Critical systems, programs, and/or jobs are monitored, and processing errors are corrected to ensure successful
completion.
is using the application for scheduling relevant jobs when making a determination as to whether this control is
control is not typically tested for lower risk environments (such as when there are a small number of financial related
s are already addressed by direct controls).
es
erstand how critical systems, programs, and/or jobs are monitored, and processing errors are corrected to ensure successful
obtaining an understanding of the following attributes, as appropriate:
ce for job scheduling and monitoring;
es for failed jobs (including expectations for timeliness of resolution);
o demostrate resolution for failed jobs;
ools that are used;
a defined for investigation.
he design of the control, such as evidence of resolution of a recent job failure.
identified.
addressed
on
Operating Effectiveness Test Procedure (including Implementation)

Testing may be performed by testing management's monitoring controls over job scheduling or by testing job
scheduling results for relevant attributes. Perform one of the following tests:
Obtain a system generated list of job statuses or failures. Based on the risk associated with the control and
frequency of changes, make a selection of job statuses or failures and test the following attributes:
Job Monitoring - Option 1: (This option applies when we make a sample of days and test the job status for those
days)
• Job ran successfully without errors;
• In case of error, an alert was generated, appropriate personnel notified, and corrective action taken to resolve
the error.
Job Monitoring - Option 2: (This option applies when we make a sample of tickets/cases from a population of job
errors/abends)
• Corrective action was taken to resolve the error in a timely manner
Job Monitoring - Automated Control: (This test attribute may or may not be applicable, depending upon the
client's technologies. Likely need to combine with another test attribute that pertains to resolution of the error.)
• The system automatically creates a ticket and alerts management when a job fails/abends
OR
Based on the frequency and risk of management's job monitoring reviews, select a sample of reviews and
obtain evidence to test for the following attributes:
• The job monitoring information used in performance of the control was complete and accurate;
• The review was performed per the frequency required by management;
• The individuals performing the job monitoring control were appropriate based on their defined roles within the
organization;
• The review was performed completely and evidence existed that demonstrated appropriate follow-up actions
were taken.
s Conclusion


Conclusion

Financial data is backed up on a regular basis according to an established schedule and frequency.
Description
Note: When multiple relevant applications are relevant to the audit, practitioners may apply a risk based approach to testing this control with
consideration of the related data within each application. For example, it may be appropriate to focus procedures on applications containing the
general ledger, assuming that relevant data from other source systems is transferred on a daily basis. Furthermore, this control is not typically
tested for lower risk applications.

Inquire with management to understand the mechanisms utilized to backup financial data on a regular basis. Specifically, consider obtaining an understanding of
the following attributes, as appropriate:
• The group or individuals responsible for scheduling backups and defining backup requirements;
• What financial data and/or information is backed up;
• The schedule and frequency in which the backups are performed;
• The tools used to perform backups;
• Where backup media is stored and how it is secured;
• The corrective actions taken when there is a backup failure, including what evidence is retained to demonstrate the resolution of the failure.
Inspect evidence to corroborate the design of the control, such as evidence that the system is configured to back up on a regular basis.

Risk


Test Approach
Information


Coverage
1 Obtain evidence of the automated backup schedule for each relevant database or location containing relevant
financial data. Inspect the the configuration to test that backups of financial data are scheduled to occur
according to policy.
RF Testing Approach
RF Test Procedure 2
Deficiencies noted:

Backup processes are monitored for successful execution, and failures are escalated and corrected to ensure
Description data is usable and available for retrieval and restoration if needed.
Note: Teams may choose to test the preventive configured control over the job schedule (DCNO.17) instead of this detective control. Additionally, if
backup monitoring is performed in a common process with job scheduling, teams may choose to test backup monitoring simultaneously with job
monitoring as a common control. Note that backup controls are not typically tested for lower risk applications.

Inquire with management to understand the manner in which backups are monitored by management. Specifically, consider obtaining an understanding of the
following attributes, as appropriate:
• How backups are monitored for successful execution and the method in which failures are escalated to take corrective action;
• What group is responsible for scheduling and monitoring backup jobs;
• How often management reviews backups and exceptions;
• What criteria is used that triggers further investigation, as well as what documentation exists to evidence follow-up activity on backup jobs that meet such
criteria;
• Dependency on other controls for appropriate management monitoring of backup jobs.
Inspect evidence to corroborate the design of the control, such as evidence of a recently completed backup.

Risk


Test Approach
Information


Coverage
1 Make a sample of management's backup monitoring reviews and obtain evidence to test the following attributes:
Backup Monitoring - Option 1: (This option applies when we make a sample of days and test the backup status
for those days)
• Backup ran successfully without errors;
• In case of error, an alert was generated, appropriate personnel notified, and corrective action taken to resolve
the error.
Backup Monitoring - Option 2: (This option applies when we make a sample of tickets/cases from a population
of backup errors/abends)
• Corrective action was taken to resolve the error.
Backup Monitoring - Automated Control: (This test attribute may or may not be applicable, depending upon the
client's technologies. Likely need to combine with another test attribute that pertains to resolution of the error)
• The system automatically creates a ticket and alerts management when a backup job fails/abends.
RF Testing Approach
RF Test Procedure 2
Deficiencies noted:

Physical security mechanisms are in place to appropriately restrict access to data centers and computer rooms
Description to personnel who require access to perform their assigned duties.
Note: Consider the IT risk assessment for your engagement to determine the applicability of this control. In many IT environments, the related risk
arising from IT is remote and would not require the identification and testing of physical security controls.

Inquire with management to understand the controls related to physical access to the data center / computer room. Specifically, consider obtaining an
understanding of the following attributes, as appropriate:
• Policies, procedures, standards, and guidance for access security to the data center / computer room;
• Security mechanisms employed to physically restrict access to the data center / computer room (e.g., keys, badge access, biometric scanning).
Inspect evidence to corroborate the design of the control, such as evidence that the data center/computer room is restricted to appropriate personnel.

Risk


Test Approach
Information

Coverage
1 Perform a physical walkthrough of the data center to observe the physical security mechanisms that are in place
to restrict access to the data center / computer room. During the walkthrough evaluate whether a physical
security device is in place and operating to restrict access to the data center (e.g., badge reader, pin pad,
biometric scanner, etc.).
RF Testing Approach
RF Test Procedure 2
Deficiencies noted:

Physical access to the data center is reviewed by management on a periodic basis to ascertain that access is
Description granted only to authorized and appropriate individuals.
Note: Consider the IT risk assessment for your engagement to determine the applicability of this control. In many IT environments, the related risk
arising from IT is remote and would not require the identification and testing of physical security controls.

Inquire with management to understand the control related to management's review of access to the data center / computer room. Specifically, consider
• Policies, procedures, standards, and guidance for access security to the data center / computer room;
• People or groups that should have access to the data center / computer room;
• Individuals responsible for reviewing access to the data center / computer room;
• Frequency of the access review;
• Scope of review (e.g., employees, vendors, contractors, guests and generic/system accounts);
• Level of detail in the access review;
• Criteria defined for investigation (i.e., what triggers the need for investigation and follow-up) and documentation expectations to evidence management actions;
• Timeliness of the completion of the corrective actions requested in the review
Inspect evidence to corroborate the design of the control, such as evidence of a recent data center access review.

Risk


Test Approach
Information


Coverage
1 Make a selection of the documentation reviewed by management and test the following attributes:
• Data center access review included a complete and accurate population of users;
• Review was properly documented and performed at the appropriate level of detail;
• Review was performed by appropriate management personnel;
• Data center access was appropriately modified in a timely manner for users flagged as exceptions during the
review.
OR
2 Obtain a list of users that have access to the data center. For each user identified, test the following attributes:
• Access privileges are authorized and appropriate for user’s assigned duties based on inquiries with the
management (indicate the individual validating access)
• Access privileges are authorized and appropriate for user’s assigned duties based on inspection of their job
function in the Information Systems organizational chart (include reference)
RF Testing Approach
RF Test Procedure 2
Deficiencies noted:

Control Activity
Description
Note: This control is not typically tested for lower risk environments where there are no web facing (or external facing) applications used to perfo
transactions with external parties through a public network.

Inquire with management to understand the how the network is segmented. Specifically, obtain an understanding of the following:
• The architecture of the network and if web-facing applications are present related to ICFR.
• How internal and external networks are segmented;
• The logical location on the network of key firewalls to segment traffic;
• How web facing applications are restricted from accessing the internal network to limit in-bound internet traffic.
Inspect evidence to corroborate the design of the control, such as a system diagram for the network and sample configurations showing firewalls are configu
to segment network traffic.

Risk


Predictability

Test Approach

Information


Coverage

1
RF Testing Approach
RF Test Procedure 1
RF Test Procedure 2
RF IPE Procedures
Deficiencies noted:

DCNO.21
Network is architected to segment web-facing applications from the internal network, where ICFR relevant
applications are accessed.
lly tested for lower risk environments where there are no web facing (or external facing) applications used to perform
ies through a public network.
es
erstand the how the network is segmented. Specifically, obtain an understanding of the following:
and if web-facing applications are present related to ICFR.
orks are segmented;
ork of key firewalls to segment traffic;
e restricted from accessing the internal network to limit in-bound internet traffic.
he design of the control, such as a system diagram for the network and sample configurations showing firewalls are configured
design of the control

identified.
addressed
on
N/A

Operating Effectiveness Test Procedure (Including implementation)
Interview management and inspect documents to identify whether the internal network is separated and
protected from public and semi-public zones by segmentation mechanisms that include firewalls, routers and
switches
Identify if traffic for selected devices is based upon a least security principle. For a sample of network firewall
devices, obtain evidence of the firewall configurations to determine if appropriate rules are in place to prevent
unauthorized traffic from entering into the internal network from the Internet.
For a selection of rules, perform testing to identify the following:

• The setting is configured to an appropriate value for system functionality based on inquiries with management
(indicate the individual validating access);
• The setting is configured based upon a least security principle (i.e. the rule specificies specific devices or
groups of devices to which traffic is allowed to pass in or out over only specific ports / protocols);
Additionally, inspect the rules to identify that a rule allowing any traffic over any port in or out of the firewall is
present.
Note: In many environments the last rule in the configuration will be a default deny for any traffic on any port that
does not match a rule defined within the configuration.
s Conclusion


Conclusion

Control Activity
Description

Inquire with management to understand the controls related to vulnerability scanning. Specifically, consider obtaining an understanding of the following
• Policies/procedures related to vulnerability scanning, including personnel responsible and the frequency of the scanning process;
• The scope of devices and network segments included within the scanning;
• The process for investigating potential vulnerabilities and the method in which follow-up and resolution is documented;
• Risk ranking of vulnerabilities (such as low, medium and high) and the method in which each is investigated;
Inspect evidence to corroborate the design of the control, such as evidence that a recent vulnerability scan of the network perimeter was performed.

Risk



Predictability

Test Approach

Information


Coverage

1
RF Testing Approach
RF Test Procedure 1
RF Test Procedure 2
RF IPE Procedures
Deficiencies noted:

DCNO.22
On a periodic basis, vulnerability scans of the network perimeter are performed by the Network management
team who also investigate potential vulnerabilities.
es
erstand the controls related to vulnerability scanning. Specifically, consider obtaining an understanding of the following
ulnerability scanning, including personnel responsible and the frequency of the scanning process;
ork segments included within the scanning;
otential vulnerabilities and the method in which follow-up and resolution is documented;
uch as low, medium and high) and the method in which each is investigated;
he design of the control, such as evidence that a recent vulnerability scan of the network perimeter was performed.

identified.
addressed
on
N/A

Based on the RAIT, risk associated with the control, and frequency of vulnerability scans, make a selection of
the vulnerability scans and test the following attributes:
• The vulnerability scan was performed;
• Potential vulnerabilities were investigated and resolved in a timely manner in accordance with policy.
s Conclusion


Conclusion

Control Activity
Description

Inquire with management to understand the controls related to intrusion detection systems. Specifically, consider obtaining an understanding of the following
• Policies/procedures related to alert generation in the intrusion detection systems, including personnel responsible and the frequency of the alerting process
process;
• The process for investigating threats in a timely manner and documentation of their resolution;
• How the intrusion detection system is kept up to date to identify new and emerging threats;
• The nature of alerts generated by the intrusion detection system and whether any significant or high risk intrusions were detected during the period. Note:
important to understand which types or categories of alerts warrant investigation vs. those that are routine in nature or false positives within the environment
may not require action.
Inspect evidence to corroborate the design of the control, such as evidence that a recent alert from the intrustion detction system was resolved.
Risk



Predictability

Test Approach

Information


Coverage

1
RF Testing Approach
RF Test Procedure 1
RF Test Procedure 2
RF IPE Procedures
Deficiencies noted:

DCNO.23
On a periodic basis, alerts are generated to provide notification of threats identified by the intrusion detection
systems. These threats are investigated by the Network management team.
es
erstand the controls related to intrusion detection systems. Specifically, consider obtaining an understanding of the following
lert generation in the intrusion detection systems, including personnel responsible and the frequency of the alerting process
reats in a timely manner and documentation of their resolution;

em is kept up to date to identify new and emerging threats;
by the intrusion detection system and whether any significant or high risk intrusions were detected during the period. Note: It is
pes or categories of alerts warrant investigation vs. those that are routine in nature or false positives within the environment that
he design of the control, such as evidence that a recent alert from the intrustion detction system was resolved.
identified.
addressed
on
N/A

Obtain evidence the intrusion detection systems are current and up to date to identify new and/or emerging
threats to the network.
Based on the RAIT, risk associated with the control and frequency of alerts, make a selection of the alerts and
test the following attributes:
• The alert was generated and reviewed by appropriate personnel;
• Threats are investigated and resolved in a timely manner in accordance with policy.
s Conclusion


Conclusion

Control Activity
Description
transactions with external parties through a public network via a VPN.

Inquire with management to understand the controls related to configuring encryption and two factor authentication for VPN access. Specifically, consider
• Policies related to VPN configurations, including individuals responsible for configuring the VPN;
• How encryption and two-factor authentication is configured;
• Whether authentication is tied to a single source of authentication for users or whether VPN password authentication is controlled by the VPN server / devi
Inspect evidence to corroborate the design of the control, such as reviewing a user log into the VPN using two-factor authentication or configuration of the tw
factor authentication.

Risk



Predictability

Test Approach

Information


Coverage

1
RF Testing Approach
RF Test Procedure 1
RF Test Procedure 2
RF IPE Procedures
Deficiencies noted:

DCNO.24
Controls are implemented to restrict Virtual Private Network (VPN) access to authorized and appropriate users.
ies through a public network via a VPN.
es
erstand the controls related to configuring encryption and two factor authentication for VPN access. Specifically, consider
e following attributes, as appropriate:
ations, including individuals responsible for configuring the VPN;
authentication is configured;
o a single source of authentication for users or whether VPN password authentication is controlled by the VPN server / device.
he design of the control, such as reviewing a user log into the VPN using two-factor authentication or configuration of the two-

identified.
addressed
on
N/A

Obtain evidence of the VPN configuration settings that show the authentication methods required to connect.
Inspect the configuration to identify the following attributes:
• Encryption is implemented at a sufficient level to prevent traffic from inappropriate interception.
• Two factor authentication is implemented.
If password authentication is one of the factors, perform one of the following based upon the configuration:
a) If VPN authentication is tied to single sign-on, obtain evidence of the configuration of the VPN server / device
showing the source that authentication is tied and perform testing over the password parameters for that source.
OR
b) Obtain the password parameters configured on the VPN server / device and test each parameter for the
following attributes:
• Password parameters are configured in accordance with the company policy
Note that two factor authentication requires two items from the following categories: what you know
(knowledge), what you have (ownership), and/or who you are (inherence).
s Conclusion


Conclusion

Generic Data Center and Network Operations Workplan

Uploaded by

Document Informationclick to expand document information

Copyright:

Available Formats

Generic Data Center and Network Operations Workplan

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Generic Data Center and Network Operations Workplan

Uploaded by

Copyright:

Available Formats

Version History v2 - June, 2017

Version History v1 - June, 2016

System Level IT Risk Assessment Classification

If RAIT Risk Classification differs Interim Operating Final Operating

On a periodic basis, alerts are generated to provide notification of

Controls are implemented to restrict Virtual Private Network (VPN)

Inappropriate changes are made to system

Only authorized users have access to update the batch jobs

Evaluation of Design Procedures Evaluation of Design Testing Results

Evidence used to corroborate the design of the control

Design Factor 3: Frequency and Consistency Frequency of Control Operation

RAIT Risk Classification 0

Recommended Tools to obtain data N/A

Interim Operating Effectiveness Testing (This includes a test of implementation)

Reference to evaluation of deficiencies over

Evaluation of Design Procedures Evaluation of Design Testing Results

• Policies, procedures, standards and guidance related to network changes

Evidence used to corroborate the design of the control

Design Factor 3: Frequency and Consistency Frequency of Control Operation

RAIT Risk Classification 0

Interim Operating Effectiveness Testing (This includes a test of implementation)

Interim Operating Effectiveness Conclusion

Reference to evaluation of deficiencies over

Evaluation of Design Procedures

Evidence to Corroborate Design:

Design Factor 3: Frequency and Consistency

Design Factor 4: Level of Aggregation and

RAIT Risk Classification

Dependency on Other Control(s) or

Information used as Audit Evidence

Recommended Tools to obtain data

Interim Operating Effectiveness Testing (This includes a test of implementation)

Test Procedure Number

Interim Operating Effectiveness Conclusion

Final Operating Effectiveness Conclusion

, and guidance for the use of the job scheduler;

Frequency of Control Operation

Is the control dependent upon other controls or information?

Is the information used as audit evidence to test the control?

s Testing (This includes a test of implementation)

Roll-Forward Test Procedure

Identify and describe test procedures performed over IPE at RF.

Roll-Forward Testing Results

Evaluation of Design Procedures

Evidence to Corroborate Design:

Design Factor 3: Frequency and Consistency

Design Factor 4: Level of Aggregation and

RAIT Risk Classification

Dependency on Other Control(s) or

Information used as Audit Evidence

Recommended Tools to obtain data

Test Procedure Number

Interim Operating Effectiveness Conclusion

Final Operating Effectiveness Conclusion

he design of the control, such as evidence of resolution of a recent job failure.

Frequency of Control Operation

Is the control dependent upon other controls or information?

Is the information used as audit evidence to test the control?