document

Download Free SAS 70 IT Control Objectives Toolkit. This Statement Auditing Standards (SAS) no 70 contain samples of Program Change Control, Access Control and Computer Operation Control Objectives as described below:

Program Change Control
- Ensure that production environment changes are approved by management prior to implementation in accordance with documented policies and procedures.
- Ensure that necessary modifications to the existing production environment are implemented within the timeframes required by documented policies and procedures.
- Ensure that modifications to the production environment are tested prior to implementation and function consistent with documented policies and procedures.

Requirements content
- Are all the inputs to the system specified including their source, accuracy, range of values, and frequency?
- Are all the outputs from the system specified including their destination, accuracy, range of values, frequency, and format?
- Are all the report formats specified?
- Are all the external hardware and software interfaces specified?
- Are all the communication interfaces specified including handshaking, error checking, and communication protocols?
- Is the expected response time, from the user’s point of view, specified for all necessary operations?
- Are other timing considerations specified, such as processing time, data transfer, and system throughput?
- Are all the tasks the user wants to perform specified?
- Does each task specify the data used in the task and data resulting from the task?
- Is the level of security specified?

Download Free Payment Card Industry Data Security Standard (PCI DSS Visa) Incident Report Template

I. Executive Summary
a. Include overview of the incident
b. Include Risk Level (High, Medium, Low)
c. Determine if compromise has been contained

II. Background

III. Initial Analysis

1. IT Security Risk Identification
- What IT services are being provided to the organization related to cyber security or FISMA compliance (e.g., externally facing Internet systems, systems that have personally identifiable information (PII), etc.)?
- What are the organizational and IT units, and how are they managed (e.g., the centralized IT services group, an IT outsourcer, etc.)?
- What are the other relevant regulatory and contractual requirements for the organization process (e.g., HIPAA, NERC, interagency agreements, contractual service level agreements, the Freedom of Information Act (FOIA), etc.)?
- What technologies and IT processes are being used for an in-scope asset (e.g., Microsoft Windows Server, Sun Solaris, Oracle, Microsoft SQL Server, etc.)?
- Are there any high-level risk indicators from the past to be aware of (e.g., repeat audit findings, frequent outages, etc.)

WITH A SYSTRUST EXAMINATION, THERE IS AN AUDITOR’S OPINION. In addition, the service provider provides a management assertion and a system description that are attached to the auditor’s opinion to form the SysTrust reporting package. Optionally, the reporting package can also include a schedule of controls that the service provider has implemented to address the Trust Services criteria.

SysTrust Auditor’s Opinion

To the Management of XYZ Service Provider, Inc.: