22 Sep

19 Langkah2 Umum Audit Program Sistem Informasi

19 Langkah2 Umum Audit Program Sistem Informasi

The audit program is designed to address the primary risks of virtually all computing systems. The audit program is designed to address the primary risks of virtually all computing systems. Therefore, the objective statement and steps in the program are general by design. Therefore, the objective statement and steps in the program are generally by design. Obviously, computing systems can have many different applications running on them, each with its own unique set of controls. Obviously, computing systems can have many different applications running on them, each with its own unique set of controls. However, the controls surrounding all computing systems are very similar. However, the controls surrounding all computing systems are very similar. The IS controls in the audit program have been grouped into four general categories: The IS audit controls in the program have been grouped into four general categories:

Objective:

Objective:

  1. To assess the adequacy of environmental, physical security, logical security, and operational controls designed to protect IS hardware, software, and data against unauthorized access and accidental or intentional destruction or alteration, and To assess the adequacy of environmental, physical security, logical security, and operational controls designed to protect IS hardware, software and data against unauthorized access and accidental or intentional destruction or alteration, and
  2. to ensure that information systems are functioning in an efficient and effective manner to help the organization achieve its strategic objectives. to ensure that information systems are functioning in an efficient and effective manner to help the organization achieve its strategic objectives.

TESTS OF ENVIRONMENTAL CONTROLS TESTS OF ENVIRONMENTAL CONTROLS

Step 1. Assess the adequacy and effectiveness of the organization’s IS security policy.

Step 1. Assess the adequacy and effectiveness of the organization’s IS security policy. In addition, assess whether the control requirements specified in the organization’s IS security standards adequately protect the information assets of the organization. In addition, assess whether the control requirements specified in the organization’s IS security standards adequately protect the information assets of the organization. At a minimum, the standards should specify the following controls and require them to At a minimum, the standards should specify the following controls and require them to
be applicable to all information systems: be applicable to all information systems:

A. The maiden password should be changed after the system is installed. The maiden password should be changed after the system is installed.

B. There is a minimum password length of eight or more characters. There is a minimum password length of eight or more characters.

C. Passwords require a combination of alpha and numeric characters. Passwords require a combination of alpha and numeric characters.

D. The password is masked on the screen as it is entered. The password is masked on the screen as it is entered.

E. The password file is encrypted so nobody can read it. The password file is encrypted so nobody can read it.

F. There is a password expiration period of 60 days or less. There is a password expiration period of 60 days or less.

G. Three or fewer unsuccessful sign-on attempts are allowed, then the user ID is suspended. Three or fewer unsuccessful sign-on attempts are allowed, then the user ID is suspended.

H. User sessions are terminated after a specified period of inactivity (eg, five minutes or less). User sessions are terminated after a specified period of inactivity (eg, five minutes or less).

I. Concurrent sign-on sessions are not allowed. Concurrent sign-on sessions are not allowed.

J. Procedures are in place to remove user IDs of terminated users in a timely manner. Procedures are in place to remove terminated user IDs of users in a timely manner.

K. Users are trained not to share or divulge their passwords with other users, post them in their workstations, store them in eletronic files, or perform any other act that could divulge theirpasswords. Users are trained not to share or divulge their passwords with other users, post them in their workstations, store them in eletronic files, or perform any other act that could divulge theirpasswords.

L. Unsuccessful sign-on attempts and other logical security-related events (eg, adding and deleting users, resetting passwords, restarting the system) are logged by the system, and the log is reviewed regularly by system security staff. Unsuccessful sign-on attempts and other logical security-related events (eg, adding and deleting users, resetting passwords, restarting the system) are logged by the system, and the log system is reviewed regularly by security staff.

M. Fully developed and tested backup and recovery procedures exist to help ensure uninterrupted business resumption in the event of a full or partial disaster. Fully developed and tested backup and recovery procedures exist to help ensure uninterrupted business resumption in the event of a full or partial disaster.

N. New information systems are required to be designed to enable the aforementioned controls to be implemented by system security administrators. New information systems are required to be designed to enable the aforementioned controls to be implemented by system security administrators. New systems include those developed in house, those purchased from vendors, and third-party processor systems. New systems include those developed in house, purchased from those vendors, and third-party processor systems. In the case of software vendors and third-party processors,the above control requirements should be specified as requirements in the contract. In the case of software vendors and third-party processors, the above control requirements should be specified as requirements in the contract.

Step 2. For service organization applications, examine the most recent report in the policies and procedures placed in operation at the vendor’s data processing site as prepared by its external auditors. For applications service organization, to review the most recent report in the policies and procedures placed in operation at the vendor’s data processing site as prepared by its external auditors. In the United States, the format and testing requirements are dictated by Statement on Auditing Standards 70 (SAS 70), issued by the American Institute of Certified Public Accountants. In the United States, the format and testing requirements are dictated by Statement on Auditing Standards 70 (SAS 70), issued by the American Institute of Certified Public Accountants.

Step 3. If the system was purchased from and supported by a vendor, assess the financial stability of the system vendor using the most recent audited financial statements prepared by the vendor’s external auditors. Step 3. If the system was purchased from and supported by a vendor, assess the financial stability of the system vendor using the most recent audited financial statements prepared by the vendor’s external auditors.

Step 4. Examine the vendor software license agreement and any agreements for ongoing maintenance and support to ensure that they are current, address service needs, and do not contain or omit any wording that could be detrimental to your organization.

Step 4. Examine the vendor software license agreement and any agreements for ongoing maintenance and support to ensure that they are current, address service needs, and do not contain or omit any wording that could be detrimental to your organization.

TESTS OF PHYSICAL SECURITY CONTROLS TESTS OF PHYSICAL SECURITY CONTROLS
Step 5 .

Step 5. Assess the adequacy of physical security over the computer system hardware and storage media. Assess the adequacy of physical security over the computer system hardware and storage media.

Step 6 .

Step 6. Determine whether an adequately trained backup system security administrator has been designated. Determine whether an adequately trained security backup system administrator has been designated.

Step 7 .

Step 7. Assess the adequacy and effectiveness of the written business resumption plan, including the results of mock disaster tests that have been performed. Assess the adequacy and effectiveness of the written business resumption plan, including the results of mock disaster that tests have been performed.

Step 8 .

Step 8. Assess the adequacy of insurance coverage over the hardware, operating system, application software, and data. Assess the adequacy of insurance coverage over the hardware, operating system, application software, and data.

TESTS OF LOGICAL SECURITY CONTROLS TESTS OF SECURITY LOGICAL CONTROLS
Step 9. Determine whether the maiden password for the system has been changed and whether controls exist to change it on a periodic basis in conformity with the computing system security policy, standards, or guidelines identified in Step 1.

Step 9. Determine whether the maiden password for the system has been changed and whether controls exist to change it on a periodic basis in conformity with the computing system security policy, standards, guidelines or identified in Step 1.

Step 10 .

Step 10. Observe the system security administrator sign on and print a list of current system users and their access capabilities. Look at the sign on system security administrator and print a list of current system users and their access capabilities. Alternatively, if you can obtain appropriate system access, you can obtain the list of users independently. Alternatively, if you can obtain appropriate system access, you can obtain the list of users independently.

Step 11 .

Step 11. Document and assess the reasonableness of the default system security parameter settings. Document and assess the reasonableness of the default system security parameter settings. The settings should conform to the organization’s computing system security policy, standards, or guidelines tested in Step 1. The settings should conform to the organization’s computing system security policy, standards, guidelines or tested in Step 1. (Be alert to the fact that in some systems, individual user parameter settings override the default system security (Be alert to the fact that in some systems, individual user parameter settings override the default system security
parameter settings.) parameter settings.)

Step 12 .

Step 12. Test the functionality of the logical security controls of the system (eg, password masking, minimum password length, password expiration, user ID suspended after successive invalid sign-on attempts, log-on times allowed, and session time-outs). Test the functionality of the logical security controls of the system (eg, password masking, minimum password length, password expiration, user ID suspended after successive invalid sign-on attempts, log-on times allowed, and session time-outs).

Step 13 .

Step 13. Determine whether the file containing user passwords is encrypted and cannot be viewed by anyone, including the system security administrator. Determine whether the file containing user passwords is encrypted and can not be viewed by anyone, including the system security administrator.

Step 14 .

Step 14. Determine whether sensitive data, including passwords, are adequately Determine whether sensitive data, including passwords, are adequately
encrypted throughout their life cycles, including during storage, transmission through any internal or external network or telecommunications devices, and duplication on any backup media. encrypted throughout their life cycles, including during storage, transmission through any internal or external network or telecommunications devices, and duplication on any backup media.

Step 15 .

Step 15. Assess the adequacy of procedures to review the log of system security-related events (eg, successive invalid sign-on attempts, system restarts, changes to user access capabilities and user parameter settings). Assess the adequacy of procedures to review the log of system security-related events (eg, successive invalid sign-on attempts, system restarts, changes to user access capabilities and user parameter settings).

Step 16 .

Step 16. Assess the adequacy of remote access controls (eg, virtual private networks [VPNs], token devices [CRYPTOCard, SecurID, etc.], automatic dial-back, secure sockets layer [SSL]). Assess the adequacy of remote access controls (eg, virtual private networks [VPNs], token devices [CRYPTOCard, secure, and so on.], Automatic dial-back, Secure Socket Layer [SSL]).

TESTS OF INFORMATION SYSTEMS OPERATING CONTROLS TESTS OF INFORMATION SYSTEMS OPERATING CONTROLS
Step 17 .

Step 17. Determine whether duties are adequately segregated in the operating Determine whether duties are adequately segregated in the operating
areas supporting the information system (eg, transactions should be authorized only by the originating department, programmers should not have the capability to execute production programs, procedures should be adequately documented, etc.). areas supporting the information system (eg, transactions should be authorized only by the originating department, programmers should not have the capability to execute production programs, procedures should be adequately documented, etc.)..

Step 18 .

Step 18. Determine whether there have been any significant software problems with the system. Determine whether there have been any significant problems with the system software. Assess the adequacy, timeliness, and documentation of resolution efforts. Assess the adequacy, timeliness, and documentation of resolution efforts.

Step 19 .

Step 19. Assess the adequacy of controls that help ensure that IS operations are functioning in an efficient and effective manner to support the strategic objectives and business operations of the organization (eg, system operators should be monitoring CPU processing and storage capacity utilization throughout each day to ensure that adequate reserve capacities exist at all times). Assess the adequacy of controls that help ensure that IS operations are functioning in an efficient and effective manner to support the strategic objectives and business operations of the organization (eg, system operators should be monitoring CPU processing and storage capacity utilization throughout each day to ensure that adequate reserve capacities exist at all times).

15 Responses to “19 Langkah2 Umum Audit Program Sistem Informasi”

  1. 1
    BradandPitti Says:

    cool site :-)

    –> Thank’s Sir

  2. 2
    loganxxl Says:

    Thanks for this – great idea.

    –> Thank’s Sir !

  3. 3
    danyela Says:

    Hmmm, I am tempted to try this.

    –> Ok, thank’s Sir.

  4. 4
    lrech Says:

    Hmm. Good question.

    –> Nice comment !

  5. 5
    Edward NoliMoopold Says:

    Very usefull post.
    Thanks.
    P.S. I like your writing style.

  6. 6
    Timaaaa Says:

    I really very liked this post. Can I copy it to my blog?
    Thank in advance.

    Sincerely, Timur.

  7. 7
    Catur Iswahyudi Says:

    Di-translate ke Indonesian bisa gak pak. Biar lebih mudah dipelajari

    –> Iya yah… Help me please !

  8. 8
    Your Reader Says:

    Wow! Thank you very much!
    I always wanted to write in my site something like that. Can I take part of your post to my blog?
    Of course, I will add backlink?
    Regards, Timur Alhimenkov

  9. 9
    Dirnov Says:

    Greatings,
    I have already seen it somethere

    Thank you
    Dirnov

  10. 10
    Reseller hosting Says:

    Interesting article, adding it to my boomarks!

  11. 11
    Daniel Craig Says:

    Hi there, I was looking around for a while searching for audit example report and I happened upon this site and your post regarding 19 Langkah2 Umum Audit Program Sistem Informasi, I will definitely this to my audit example report bookmarks!

  12. 12
    shoe carnival Says:

    Thanks. ^_^

  13. 13
    41i35 Says:

    Dear Author edhy.dosen.akprind.ac.id !
    It is remarkable, it is very valuable information

  14. 14
    Marvel Allara Says:

    I am stricken by the way you addressed this topic. It is not often I come across a blog with engrossing articles like yours. I will bookmark your feed to stay up to date with your approaching updates. Just amazing and do continue up the good work.

  15. 15
    hurke Says:

    truly loved the article added to my favourites

Leave a Reply

You must be logged in to post a comment.