Your IT audit team has documented the following observations at Egencia from the IT General Control walkthrough:

• The applications programmer migrates the code to the system's test region. A second programmer performs systems integration testing, volume testing, and user acceptance testing, again using test files. The second programmer then performs a quality review of the change, including source compare analysis, and reviews the updated systems documentation.
• Upon completion of testing, the user who requested the change and the appropriate department manager review the test results and accept the change by signing the original request form. The VP, Applications reviews the user-approved request form on which the department manager has indicated that s/he is satisfied that the program is ready for implementation. The VP, Applications also reviews the documentation prior to implementing any new or changed program to ensure that the documentation is adequate.
• The VP, Applications approves all program changes, initials the change request form, and transfers the change to the VP, Operations, who officially accepts the change. The VP, Applications then updates the Change Request log and returns the revised systems documentation to the fireproof vault.
• The system allows ten access attempts. If the tenth attempt is unsuccessful, the user ID is automatically disabled. The user must contact the VP, IS to reset the user ID. The system generates a logical access violation report on a daily basis.
• The VP, IS grants access to the system to new hires. The appropriate department manager completes a computerized form that specifies the proper level of access. The VP, IS reviews the request form for proper approvals and then either approves or denies the request. If approved, the VP, IS issues the necessary ID and initial password with the requested access via email.
• Normal users may have multiple IDs. Each user ID can log on to one sign-on session at a time. The VP, IS, who has unlimited access, can log in from any workstation and have multiple sign-on sessions.
• The VP, IS is responsible for modifying and/or disabling user IDs for personnel whose job duties change because of promotions, transfers, and/or terminations based on the Transfers and Terminations report. The VP, IS maintains the report, and initials and dates the report when the VP, IS has made all of the modifications.
• Egencia backs up all of its data each day. It stores its most recent daily backup once a week at a company-owned offsite location, along with the most recent version of its software. Egencia did not test backup tapes during the past year and has no plan to test these tapes in the future.

As an IT security expert, you are asked to provide a conclusion for each of the IT General Control areas. You would have to provide reasons to support your conclusions.

Answer rating: 100% (QA)

The implementation of the service for the changes or addition of new feature and their acc... View the full answer