Documentation Template

Information Technology General Computer Controls

University of California, Berkeley
ITGCC DOMAIN:
CONTROL
DESCRIPTION AND
ATTRIBUTES:

Control
Objective(s) this
Control Support:

Risk(s) this Control

Mitigates:

Physical and Logical Security

ITGC-PLS-07. Management conducts periodic reviews of user physical and logical access.
Manual /
Preventive or
Manual
Preventive
Frequency: Quarterly
Automated:
Detective:
2.3 Developer access to systems being developed is restricted, monitored, and reviewed periodically.
3.3 Developer access to systems being updated is restricted, monitored, and validated periodically.
4.1 Physical access to data centers is restricted (including servers and other assets). Physical access is
approved for all users. Physical access rights are monitored. Physical access is re-assessed for all employee
transfers and is removed for all terminations.
4.2 Access to systems is restricted. Logical access is approved for all users. Logical access rights are monitored.
Logical access is re-assessed for all employee transfers and is removed for all terminations.
People having unauthorized access may improperly modify standing production data and code.
People having unauthorized access may improperly modify standing production data and code.
Unauthorized access to data centers could lead to loss of systems or data.
Unauthorized persons may access systems and execute transactions or change data. Access may be
granted to unauthorized users. Unauthorized or terminated employees may access systems and execute
transactions or change data. A lack of separation of duties may lead to inappropriate modification or use
of financial data.
Dept. With Primary
Responsibility:
Control Performer (Title Only)

Key Control
StepsBerkeley
Financial System
(BFS):

1.

Functional owner, BFS

technical manager, and
senior analysts

2.

IS&T Infrastructure Services

(Account, Security and Data
Center staff)

3.

UC Police Department
Dept. With Primary
Responsibility:

Control Performer (Title Only)

Key Control
StepsCampus
Accounts
Receivable System
(CARS):

Key Control

Page 1 of 2

1.

Functional owner, CARS

technical manager, and
senior analysts

2.

IS&T Infrastructure Services

(Account, Security and Data
Center staff)

3.

UC Police Department
Dept. With Primary
Responsibility:

IS&T Infrastructure Services (Account Administration, Security and Data

Center)
Description of Control Steps
Prepares and distributes reports (listing users and processing unit
access) to the Control Unit or Division Administrators on a quarterlybasis.
Submits add, change and delete requests to IS&T Account
Administrators in response to departmental email request for such
action.
Reviews quarterly reports listing user access to applications and
systems. Requests adds, changes or deletes to application and system
access (per job responsibility) for staff.
Reviews access logs to data centers.
Approves/denies requests for data center access.
Process requests for data center access (approves, grants, revokes,
denies access).
IS&T Infrastructure Services (Account Administration, Security and Data
Center)
Description of Control Steps
Prepares and distributes reports (listing users and processing unit
access) to the Control Unit or Division Administrators on a quarterlybasis.
Submits add, change and delete requests to IS&T Account
Administrators in response to departmental email request for such
action.
Reviews quarterly reports listing user access to applications and
systems. Requests adds, changes or deletes to application and system
access (per job responsibility) for staff.
Reviews access logs to data centers.
Approves/denies requests for data center access.
Process requests for data center access (approves, grants, revokes,
denies access).
IS&T Infrastructure Services (Account Administration, Security and Data
Center)

Effective March 2, 2011

Version Control: Last updated March 2, 2011

Documentation Template
Information Technology General Computer Controls
University of California, Berkeley
ITGCC DOMAIN:
CONTROL
StepsPayroll
Personnel System
(PPS):

Physical and Logical Security

ITGC-PLS-07. Management conducts periodic reviews of user physical and logical access.
Control Performer (Title
Only)
1. Functional owner, Payroll
technical manager, and
senior analysts

2. PPS Services, UCOP

3. IS&T Infrastructure Services
(Account, Security and Data
Center staff)

Page 2 of 2

Description of Control Steps

Prepares and distributes reports (listing users and processing unit
access) to the Control Unit or Division Administrators on a quarterlybasis.
Submits add, change and delete requests to IS&T Account
Administrators in response to departmental email request for such
action.
Processes ad-hoc requests for access to PPS applications on as-needed
basis.
Reviews quarterly reports listing user access to applications and
systems. Requests adds, changes or deletes to application and system
access (per job responsibility) for staff.

Effective March 2, 2011

Version Control: Last updated March 2, 2011