A.

APPLICATION SPECIFIC QUESTIONS

Application name 1. General Implementation date 2003 Application name

Interfaces to other applications (if yes, indicate No to which application). System owner of application Coltech MIS System manager/ administrator Terrence Ramkissoon 2. Input and processing Is input to the application centralised, Decentralised - Server situated at the decentralised or distributed? Ladysmith Campus Provide detail on location of input sites. Is processing of the application centralised, Distrubuted - information is captured at decentralised or distributed? Escourt,.Ezakheni and Ladysmith Provide detail on location of processing sites. Identify the nature environment: Mainframe Client-server Thick/ thin client Middleware of the processing PC processing linked to the main server

PC processing (limited/ no processing on server) Does on-line or batch processing take place? On line processing Is data downloaded for transfer to other No - all data is on the server computers for purposes of input, processing or output? Provide detail on when, how and why transfer takes place. Who is responsible for the maintenance of IT Manager -Terrance Ramkissoon standing data (e.g. tables, codes, tariffs) on the application and how is it done (via application/ database centrally/ decentralised)? Provide name and contact details of responsible person/ persons. Do full-time operators handle processing and Yes - all users at the college job scheduling or are operations automated? Provide name and contact detail of operators, if applicable. Is the database of the application integrated or Integrated is there a separate database with a database management system in place? Have there been any significant changes in the Updated on a regular basis - latest update past year with regards to the input and was 2 months ago busary module. processing of the application? Provide detail on nature and date of change.

Are there any changes foreseen within the next Changes are dependant on Dept of Higher year with regards to the logon and Education requirement authentication of users of the application? Provide detail on nature and date of change. 3. Logon and authentication of users for access to application Describe the logon path of a user to the Users access by remote connection application. Is access to the application gained via a local WAN area network (LAN), a wide area network (WAN) or is the application on a standalone PC? Who is responsible for security administration IT Manager -Terrance Ramkissoon of users (i.e. set-up of new users etc.)? Provide names and contact details. Have there been any significant changes in the No past year with regards to the logon and authentication of users of the application? Provide detail on nature and date of change. Are there any changes foreseen within the next Changes are dependant on Dept of Higher year with regards to the logon and Education requirement authentication of users of the application? Provide detail on nature and date of change. 4. Change control Is the application: In-house developed? A packaged system? Developed by end-users? N/A

Packaged system

If in-house developed:

Does the auditee have access to the source code? Extent of program changes during the past N/A year (none, low, moderate, high). Environments in use (production/ N/A development/ test/ training etc.) Who is responsible for maintenance of the N/A software? Provide names, contact details and the basic responsibilities of all programming staff. If packaged system: Vendor/supplier of software. Extent of customisation for auditee None implementation. Extent and nature of post-implementation None customisation/ modifiacation? Who is responsible for customisation of the none application (supplier or auditee)? Coltech MIS

If decentralised/ distributed processing, how Changes are updated on the server. are the systems at the sites being updated with changes made? 5. Database management (applicable if separate databases) Database management system Colted MIS Is the database(s) centralised or Centralised Ladysmith Campus decentralised? Also indicate location of database servers. Who is the responsible for maintenance of the Terrence Ramkissoon & Sanjay Sew database? Provide names, contact details and the basic responsibilities of all database administrators and staff with database related functions. Is use made of a data warehouse or a MIS Management Information System (MIS)? Is the data on the datawarehouse/ MIS Yes significant to the auditee (e.g. reports are used for management decisions/ budget control; data is used for transactional purposes). Have there been any significant changes in the Yes- Management Information System past year with regards to the databases and datawarehouse of the application? Provide detail on nature and date of change. Are there any changes foreseen within the next Changes are dependant on Dept of Higher year with regards to the databases and Education requirement datawarehouse of the application? Provide detail on nature and date of change.

B. ORGANISATIONAL ISSUES
1. Organisation Who is the IT manager/ CIO of the organisation? Provide name and contact details. Is the CIS function controlled by a management steering committee group? Identify the members of the steering group. Provide a basic layout (organigram) of the See diagram attached structure of the auditee, with specific emphasis on the organisational placement of the CIS function (IT department). Provide a basic layout (organigram) of the CIS function/ IT department that indicates the positions/ jobs in the department, both filled and vacant as well as the reporting lines. Terrence Ramkissoon, Sew,Siyabonga Zuma & Ramdharee EXCO - Details of Exco Sanjay Suveer

Also include all consultants that fill the posts, but clearly indicate they are consultants. Depending on the nature and size of the auditee these positions might include: IT manager/ CIO System administrators (system and application software) Network administrators Database administrators Operations manager and operators

Application and system programmers/ analyst/ librarians/ developers/ managers etc. Application support staff and helpdesk staff Security administrators/ officers Trainers 2. Third parties/external consultants List all third parties/ external consultants Mzansi Afrika -responsible for the core utilised in the IT environment with the following servers in Centurion Copy of agreement information: required Name of consultant/ contact person Specific responsibilities

Whether the relationship is managed via a contract/ licensing agreement/ service level agreement. 3. Changes in the organization Have there been any changes in the IT New IT tecnician appointed 2 weeks ago organisation of the auditee in the past year? (e.g. staff/ consultant changes or outsourcing). Provide detail on the nature and date of the changes. Are there any changes foreseen within the next Yes - as per organigram two years in the IT organisation of the auditee? (e.g. staff/ consultant changes or outsourcing.) Provide detail on the nature and date of the changes.

C. NETWORK
Applicable if access to major applications are gained via a WAN or LAN Network operating system: Version and Server 2008/2003 release. Does the auditee have Internet access? yes/network Is access gained via the network or dial-up modems? Does the auditee have a website? Provide the website address.

No website

Provide a basic lay-out of the network (network Diagram required diagram) identifying specifically the following (if in place): Authentication servers Application server Database servers FTP servers Web servers Mail servers Other storage servers Firewalls and proxies Routers and switches Demilitarized zone (DMZ) RAS servers Dial-up modems Third party connections SITA, Infoguard

Do external parties access the network?

Purpose of the access (for what services) Access method (modem/ RAS/ third party connection etc.)? Who is the responsible for network Terrence Ramkissoon administration? Provide names, contact details and the basic responsibilities of all network administrators and staff with network related functions. Have there been any significant changes in the Yes past year with regards to the network? Provide detail on nature and date of change. Are there any changes foreseen within the next Changes are dependant on Dept of Higher year with regards to the network? Education requirement Provide detail on nature and date.

D. SYSTEMS UNDER DEVELOPMENT OR PROCUREMENT 1. New application systems (Complete the following table for all applications under development or that is in the process of being acquired)

Name of the application

Description of the application

Name of the application being replaced (if applicable)

D. SYSTEMS UNDER DEVELOPMENT OR PROCUREMENT 2. Major amendments to existing application systems (Complete the following table for all major amendments in proce

Name of the application and module/ subsystem

Description of amendment

Reason for amendment

E. OTHER GENERAL QUESTIONS

1) Is there an approved IT policy? 2) If so, have users signed declaration forms for acknowledgement of the policy? 2) Are there back-up and disaster recovery procedures/plan in place? 3) Has the disaster recovery plan been tested? If so, review results of test. 4) Are logs(audit trails) of application processing, system accesses, and computer performance maintained? 5) Password controls a) Confirm these are not displayed during logon process b) Confirm users are logged off automatically after a specified length of time c) Confirm password complexity sufficient 6) Confirm access to computer facility is secured 7) Confirm server room has fire detectors, extinguishers, etc. 8) Review the employee termination process and confirm access to system prevented immediately

Application name

Application name

nt or that is in the process of being acquired)

If auditee will not perform development or customisation , provide detail on the Status of consultant or development/ supplier acquisition responsible.

Project manager/ contact Planned person implemen and tation contact date detail

ng table for all major amendments in process/ planned to

Status of amendment

Project manager/ contact person Planned and implementatio contact n date detail

Yes no minutes to verify the adopted No No No er performance maintained? Audit trail are maintained Yes Not displayed me Not yes yes however the server room is accomodates by 3 technicians No, fire detectors inside server and Extinguishers in Central FET ented immediately Not terminated immediately

b Questions

Yes/No

Were there prior assessments, audit reports, findings and recommendations of IT activities

Did the Municipality take any corrective action.

Does the Munucipality has the minutes from the past year for content relevant to IT Are there business & IT Strategic Planning initiatives Are there any follow up plans

Are there IT initiatived on the way Were there any outsourced IT services Is there partners or bunisses assossiates with whom the Municipality shares information Did the Municipality enter into any business associate contract or chain of trust agreement

Is there any exchange of data between the Municipality and the external entities What are the job descriptions for IT positions including Security officers

Is there training provided to the IT staff Are the policies, procedures, standards and guidelines managed, planned and maintained properly

Does the Municipality has the current IT Organisation chart

Does the IT function inititate or authorises transactions Does the Muni

Where data center is located, are the combustible materials stored above. Are there physical controls at the Data center, computer room, network access points Does all the doors into the data center adequately restricts access Do the visitors sign at the entrance and records maintianed Are there techniques in place used to restrict data center access Does the municipality has the environmental controls in place a - fire extinguisher b - uninterrupted power supply c - Emergenncy Power d - Temperature controllers e - Emergency powere cut-off switches f - Smoke and water detectors g - Emergency lighting Are the environmental controls regularly tested and maintained. Does the municipality has the equipment cooling system Is there a reoutine maintenance of the system equipment Does the Municipaility make use of remote consoles.

Is the physical access limted to only the operators or appropriate supervisors

Are system resources protected accross all platfoms, media and transmissions.

Does the municipality makes use of automated authorisation and authentication mechanisms

Are there users with the privilegde access authorities Does the Municipality has the documentation for intrusion protection/detection and IT infrastrure management Does the Municipality has the logging and auditing systems

g. a log is maintained of all system enhancements and modifi

a. User participation and sign-off b. Acceptance Testing

b. All changes go through a single control point. c. Only specified personnel are authorized to approve and ap

f. Processes are in place to ensure agreement on priority of c

h. Procedures are in place for emergency changes.

a. Self-diagnosis b. Regular maintenance c. Echo check d. Duplicate process check e. Parity check

a. Logic occurs before the operational stage b. Coding detected during the programs testing (debugging)

Backup/Recovery

Review the description of backup and archiving system(s)

Business Continuity Planning and Disaster Recovery

Telecommunications

Procedures IT General Controls (ITGC) address the overall operation and activities of the IT function and its management and governance. The ITGC audit will identify and assess general controls throughout the organizations IT infrastructure. The auditor(s) will inquire, observe, and gather evidence to obtain an understanding of the IT control environment. COBIT provides the general framework for the assessment and is augmented as necessary with applicable regulations, legislation, standards, policies, agreements, and related guidance. Review prior assessments, audit reports, findings, and recommendations of IT activities for two years to include: Internal audit reports Regulatory agency reports Consulting reports Assess appropriateness of corrective actions has taken. Document the action taken for each recommendation and determine whether any prior year's comments should be carried forward to the current year's comments. Identify the technology platforms in use and the applications processed on each platform. Platform information for includes: Equipment manufacturer and model Quantity Software applications information includes: Application vendor and name Version / Release Review Board of Directors and Committee agenda and minutes from the past year for content relevant to IT. Establish and document follow-up plans as appropriate. Review Business & IT Strategic Planning Initiatives. Establish and document follow-up plans as appropriate. Review status of IT initiatives underway (changes in business operations or IT infrastructure, outsourcing initiatives, web strategies, etc.) and note those impacting risks and controls. Review the status of outsourced IT services and respective vendor(s) and adjust audit procedures as appropriate to address issues affected by outsourcing. Review the list of trading partners / business associates with whom the organization shares or exchanges electronic information, and assess arrangements for information security and compliance across organizational boundaries.

Review example business associate contract / chain of trust agreements

Assess the roles and related risks for key personnel responsible for the exchange of data / information with external entities. Review the job descriptions for IT positions including Security and Privacy Officers. Assess their appropriateness for the roles identified, how well they address separation of duties, and other considerations. Assess the general state of training provided to IT staff and the related policies, procedures, and plans, schedules, and training records. (See also Security Training in the Security and Application Systems Sections.) Assess the management, maintenance, planning, and appropriateness of Documented Policies, Procedures, Standards, and Guidelines including, but not limited to: a. General IT and IS Policies and Procedures b. All Security Policies including HIPAA, HITECH. State and other Security Requirements, etc. c. All Privacy Policies including HIPAA, HITECH. State and other Privacy Requirements, etc. d. Policies and Procedures for Release of Information e. Employee Termination Process f. Personnel Practices e.g., clearance policies and procedures (background check, etc.), visitor and maintenance personnel control, disciplinary policies g. Vendor Policies and Procedures h. Change management policies and procedures IT Organization and Operations Obtain the current IT Organization Chart(s) and assess segregation of duties for key functions (i.e.: system analysis, development, programming, testing, operations, quality). Review the current IT organization chart(s) and assess segregation of duties for key functions (i.e.: system analysis, development, programming, testing, operations, quality). Review business process flows / diagrams for IT-related activities and assess IT process controls as identified. Through discussion with IT personnel, evaluate the segregation of critical processing functions. Ensure the IT function is a support group within the organization and does not initiate or authorize transactions. Determine whether an IT steering committee or an equivalent committee provides effective IT governance within the organization. Note: The physical environment reviewed will consider the size and complexity of the organization and its operations, and the types of technology in use or coming into use by the organization and its affiliates, partners, and related groups. Consider also the areas where technology is used and whether the locations present risks due to people and activities and/or natural or man-made threats.

Evaluate the data center location(s) and the host building(s). Ensure combustible materials are not stored on floors above or below the data center. If combustible materials are stored above, evaluate the fire suppression system, i.e. sprinkler system will result in water damage to floors below. Tour the data center(s). Document the measures taken to control physical access to such areas as the data center, computer room, telecommunications, wiring closets, network access points Identify all doors into the data center and ensure each adequately restricts access. Ensure all visitors, including vendors, are required to sign-in upon entry, as escorted as appropriate, and visitor records are retained. Identify and observe the techniques in place (surveillance cameras, security guards, electronic card keys, etc.) used to restrict data center access. Determine whether the following environmental controls are in place and operational: a. Fire suppression equipment (e.g., halon system or dry line water suppression and extinguishers) b. Uninterruptible power supply (UPS) c. Emergency Power (e.g., generators) d. Temperature and humidity controllers including backup HAV e. Emergency power cut-off switches f. Smoke and water detectors g. Emergency lighting Ensure the above are regularly tested and maintenance contracts are in force. Identify the equipment cooling system(s). If water-cooled, assess the protection for leakage and whether a backup water chiller exists. Assess the routine maintenance of system equipment to ensure its performance as expected and to monitor fragile or unstable systems. Identify the location(s) of consoles for system and network operation and maintenance, and assess the use and control of remote consoles. Access or Security Controls Physical Access Ensure physical access to computer room(s) is limited to operators and appropriate supervisors. a. Locked computer labs that require coded ID cards or keys for entry b. Manual key locks on the computer c. Restricted access to program libraries, and logs of all program access Assess the completeness and appropriateness of Facility Security Standards for authentication, personnel, access, etc. Electronic Access Determine how system resources (i.e., batch, on-line transactions, datasets, and sensitive utilities) are protected across all platforms, media, and transmissions. Identify all applications that provide their own security mechanisms. Ensure appropriate capabilities are implemented to include: Unique user IDs assigned to all users

 Unattended devices automatically logged off after a specified period of inactivity. Users are forced to change passwords within a specified timeframe. Old passwords cannot be reused. Passwords are properly masked on the system. Review and assess the description of user authentication mechanismssecure ID, biometric, CHAP/PAP, etc. Identify and review the use of automated authorization and authentication mechanisms, profile templates, etc. Assess the connectivity of remote, dial-up, wireless, mobile, and other systems that provide access to sensitive data and the specific security techniques in place for remote or mobile access and user authentication. Review the procedures to authorize and revoke system access. Ensure proper authorization is obtained prior to granting user access to the system resources. Evaluate the procedures established to remove user IDs and passwords from the system when an employee leaves and to adjust access privileges as user roles and responsibilities change. Select a sample of users in the system's security package and ensure system access is appropriate and properly authorized. Select a sample of sensitive data elements and ensure appropriate access management. Identify all users with privileged access authorities and assess the procedures for monitoring all activities of privileged users.

Review documentation for intrusion protection / detection and IT infrastructure management / monitoring systems. (internal and external network infrastructure) Review descriptions of logging and auditing systems and assess their appropriateness. Assess the logging of security related information and the identification and management of security incidents or violations. Review sample logs and reporting for incident assessment and remediation. Review the documentation for the Incident Response Team and Incident Response Process related to protected information loss, theft, disclosure, security breach, notification procedures, etc. Review the incident response tracking mechanism and records of security incidents, and assess the timeliness and appropriateness of response, recovery, notification, follow-up review, corrective procedures, etc. Assess the information security training provided to IT staff and the related policies, procedures, and plans, schedules, and training records. Assess the information security training provided to non-IT staff and the related policies, procedures, and plans, schedules, and training records. Assess the results of the most recent security penetration testing and the methods used. Systems Development and Documentation Controls

Obtain an understanding of the systems development, maintenance, and change management processes. Assess the written procedures (in the overall policies and procedures manual) outlining the steps followed to modify IT systems. Ensure these steps include: d. proper approval to implement program changes; e. appropriate documentation describing the nature and logic of proposed changes; f. proper methodology for testing, debugging, and approving all changes on a test system before implementing the changes in production systems; and g. a log is maintained of all system enhancements and modifications. Assess the training for security of online applications, the appropriateness for applicable personnel, and the extent to which it is integrated with the building, maintenance, testing, implementation, and use of online systems processing sensitive and protected information. Assess the methodology for approving and developing new application systems. Ensure the methodology applies to all types of systems. Assess the Systems Development Life Cycle as performed by IT personnel. Consider the following: a. User participation and sign-off b. Acceptance Testing c. Proper review and approval at the completion of key stages in the development process and documentation requirements Select a sample of systems in the development life cycle process and review the development documentation to assess compliance with the SDLC methodology. Review the IT change management processes and procedures to ensure critical functions are performed: a. All changes to programs, files, and devices require written authorization before they are implemented. b. All changes go through a single control point. c. Only specified personnel are authorized to approve and apply changes. d. Users accept the change, via sign-off, prior to implementation of any change in production. e. Documentation of all changes clearly identifies the trail from initiation through every step including post change acceptance. f. Processes are in place to ensure agreement on priority of change requests. g. Changes are implemented into the production environment by personnel not responsible for making the changes (segregation of duties). h. Procedures are in place for emergency changes. Select a sample of recent program changes and review the change documentation for compliance with application program change procedures. Assess the procedures in place to routinely test for unauthorized or undocumented program changes (e.g. by comparison of the working program to the approved code.

Evaluate the separation of the test environment from production systems and data, and ensure changes are thoroughly tested and approved prior to moving the changed code into the production environment. Review the application program change turnover procedures performed by the independent group responsible for implementing the application changes into the production environment. Assess the emergency change procedures and whether emergency changes are migrated through segregated libraries to enable management review and approval of the change. Select a sample of emergency program changes and assess compliance with established procedures. Assess the procedures for making routine rate changes (e.g., tax rates) to application programs or tables. Assess whether programming standards include naming conventions and coding conventions. Identify the software package (i.e., CA-Librarian) on the processing system to provide security over production libraries for source programs, JCL, and other files. Identify the functions / individuals responsible for hardware and system software controls built into IT equipment by the manufacturer which may include: a. Self-diagnosis b. Regular maintenance c. Echo check d. Duplicate process check e. Parity check Assess the processes to identify and address errors that may occur in operating systems and system software. a. Logic occurs before the operational stage b. Coding detected during the programs testing (debugging) stage c. Modification can occur at any time, even while processing. If not handled properly, program modifications can produce unexpected operations and invalid output and data o Make inquiry of any unauthorized program modifications (which is the most ominous type of software error) o Assess completeness of records kept of all modifications and records for any post modification debugging Determine through inquiry the process for scheduling production batch processing. Ensure user authorization of all changes to the production schedule. Select a sample of changes and review them for compliance to the scheduling procedures. If an automatic scheduler is not used, determine how production processing is controlled. Determine how the computer operator ensures production processing properly completes.

Identify the various output media in use and assess the processes for distribution of production-processing output to users. Ensure sensitive data is properly controlled. Backup/Recovery Review the Business Continuity Plan and Disaster Recovery Plan and ensure the systems and communications backup and recovery procedures are appropriately integrated in the plan. Ensure system and incremental backups are performed on a regular basis. Assess the frequency of backups and determine through inquiry and review of documentation whether all files and programs are backed up properly. Ensure on-line transaction journals are backed up to provide recovery of transactions that update the databases. Review the description of backup and archiving system(s) Assess the procedures to ensure backup copies of system, programs, and data files are rotated to a secure offsite storage location on a scheduled basis. Assess the procedures for verifying the inventory of the backup data. Identify the media and processes involved in backup and recovery and assess their effectiveness. If a tape management system (TMS) is part of the processing system and provides an inventory of tapes by location, observe that tapes maintained offsite are properly segregated on the TMS. Review the results of system recovery testing to ensure a successful test was performed and documented within the prior twelve months. Business Continuity Planning and Disaster Recovery Review the business continuity and resumption plans. Through discussions with management and review of the business continuity and resumption plans, determine whether the plans are current and include the necessary key components. Review the documentation of the results of the most recent test of the business resumption plan determine the dates of prior plans. Document the frequency and success of the tests. If the plan has not been tested, inquire as to the plans for testing. Assess IT managements plans for and roles in assuring business continuity and the recovery of IT resources. Determine if the plan includes recovery of IT at a vendor site and review the service agreement. Evaluate the disaster recovery plan for the IT division. Ensure application recovery is based on risk (applications critical to the organization are recovered first). Evaluate the recovery service vendor agreement(s) to ensure they provide for adequate infrastructure to recover the organizations IT resources and operations. Ensure telecommunications are included and covered during testing. Review the results of recovery testing of IT operations at the vendor site(s). Ensure tests were successfully completed and results documented. Telecommunications Review technical configurations, charts, schematics, network diagrams (internal and external network infrastructure).

Review documentation regarding approved remote communication channels, mechanisms, protocols, and standards (i.e., extranet, VPN, SSH, FTP, Wi-Fi, etc.) Review procedures for setting up, siting, and managing networked work stations and portable and mobile devices. Assess the security of procedures for monitoring, adding, removing, and configuring all devices on the network. Review description of messaging architecture, authentication, encryption methods, auditing/logging. Determine whether telecommunications provide a reliable and secure environment. Consider load balancing devices, redundant systems, and alternate procedures for the continuation of telecommunication operations. Determine if EDI (Electronic Data Interchange) is utilized. If so, evaluate security and authenticity of interchange.

Auditor's Comment