- Are all the inputs to the system specified including their source, accuracy, range of values, and frequency?
- Are all the outputs from the system specified including their destination, accuracy, range of values, frequency, and format?
- Are all the report formats specified?
- Are all the external hardware and software interfaces specified?
- Are all the communication interfaces specified including handshaking, error checking, and communication protocols?
- Is the expected response time, from the user’s point of view, specified for all necessary operations?
- Are other timing considerations specified, such as processing time, data transfer, and system throughput?
- Are all the tasks the user wants to perform specified?
- Does each task specify the data used in the task and data resulting from the task?
- Is the level of security specified?
1. IT Security Risk Identification
- What IT services are being provided to the organization related to cyber security or FISMA compliance (e.g., externally facing Internet systems, systems that have personally identifiable information (PII), etc.)?
- What are the organizational and IT units, and how are they managed (e.g., the centralized IT services group, an IT outsourcer, etc.)?
- What are the other relevant regulatory and contractual requirements for the organization process (e.g., HIPAA, NERC, interagency agreements, contractual service level agreements, the Freedom of Information Act (FOIA), etc.)?
- What technologies and IT processes are being used for an in-scope asset (e.g., Microsoft Windows Server, Sun Solaris, Oracle, Microsoft SQL Server, etc.)?
- Are there any high-level risk indicators from the past to be aware of (e.g., repeat audit findings, frequent outages, etc.)
WITH A SYSTRUST EXAMINATION, THERE IS AN AUDITOR’S OPINION. In addition, the service provider provides a management assertion and a system description that are attached to the auditor’s opinion to form the SysTrust reporting package. Optionally, the reporting package can also include a schedule of controls that the service provider has implemented to address the Trust Services criteria.
SysTrust Auditor’s Opinion
To the Management of XYZ Service Provider, Inc.:
Microsoft Payment Card Industry Data Security Standard Compliance (PCI DSS) Requirements Matrix Template
Download Free Microsoft Payment Card Industry Data Security Standard Compliance (PCI DSS) Requirements Matrix Template.
Requirement 1 Install and maintain a firewall configuration to protect cardholder data.
Risk Assessment; Network Security
Requirement 2 Do not use vendor-supplied defaults for system passwords and other security parameters.
Requirement 3 Protect stored cardholder data.
Document Management; Risk Assessment; Data Classification and Protection
Requirement 4 Encrypt transmission of cardholder data across open, public networks.
Risk Assessment; Messaging and Collaboration; Data Classification and Protection; Network Security
1. Increase revenue:
- Optimize demand fulfillment.
- Increase forecast accuracy.
- Improve inventory positioning.
- Improve manufacturing responsiveness.
- Optimize vehicle scheduling.
- Improve supply chain responsiveness.
2. Increase asset utilization:
- Rationalize the network.
- Rationalize equipment.
- Reduce finished goods inventories.
- Increase forecast accuracy.
- Reduce cash-to-cash cycle time.
- Optimize batch runs.
- Reduce raw/work-in-progress inventory levels.