IBM AS400 Security Procedures

IBM AS400 Security Procedures

Table of Contents

A. Purpose and Scope B. Preparatory Steps C. General information D. Standards E. Documentation F. Physical Security G. Backup Procedures H. Disaster Recovery

I. Implementation & Change Control

J. Operations/Processing

(Job Scheduling, Tape Library Management, Output Handling) K. System Security - General

System Security Values User Group Profiles Libraries Objects

System Utilities System Commands System Logs L. Physical Inventory M. Systems Performance N.

Preventative Maintenance

Page 1 2 3 5 6 8 9 11 12 16 19 20 27 34 35 36 37 39 41 42 43

Auditor(s) Assigned Audit Date

Workpaper

Audit Objectives and Procedures Ref. By

________________________________________________________________________________________________________

A.

Purpose And Scope

This program is designed to enable the auditor to examine and test the effectiveness of controls and procedures at data centers using IBM System/34, 36, 38 and AS/400 computers.

Included in the audit program are suggested audit steps that are designed to obtain evidence that key control procedures are operating effectively.

The audit approach includes: background information, standards, documentation, implementation/change controls, backup procedures (including those financial files required by law - such as general ledger, payroll, receivables, sales, cost of sales and any master file/tables required to complete the financial information - such as chart of accounts, cost, price masters), disaster recovery, computer operations and logical access security.

This guide should be read through in its entirety before an audit is commenced in order to gain a thorough understanding of the audit approach.

The Appendix contains added information on classifying data and background information on the various machines that are covered in this audit program.

1

Auditor(s) Assigned Audit Date

Workpaper

Audit Objectives and Procedures Ref. By

________________________________________________________________________________________________________

B.

Preparatory Steps 1.

Review existing corporate computer policies and guidelines and evaluate their impact on the planned audit scope.

Review the workpapers and response to the prior audit report. Obtain and review the current organizational chart for the relevant data center location.

Review the letter of recommendations issued by the external audit firm when evaluating the audit scope.

Document interviews and meetings with key audited personnel.

2.

3.

4.

5.

2

Auditor(s) Assigned Audit Date

Workpaper

Audit Objectives and Procedures Ref. By

________________________________________________________________________________________________________

C.

General Information

1.

Document the type of data processing equipment, ownership, capacity and future expansion plans.

2.

Document the type of major software applications currently in production, who owns them and future development plans.

3.

Review insurance coverage for hardware, software, facility, etc.

4.

Determine if outside service bureaus or contract programmers are employed and list all applications processed or programmed.

5.

Review procedures for obtaining these services.

6.

Determine if any additional controls are provided to ensure all work performed by contract programmers is reviewed and approved.

7.

Evaluate the contract with the service bureau(s) or outside programmer(s) for ownership of data, confidentiality statements, etc.

8.

Review relevant job descriptions to ensure adequately defined duties, lines of responsibilities, etc.

9.

Verify that procedures are in place for management review of the daily history log of computer processing activity and program changes.

10.

Review EDP staffing policies relating to absenteeism, training, transfers and employee terminations.

11.

Verify that an EDP steering committee has been established and review objectives, members and frequency of meetings.

GENERAL

C/PROG

3

Page 1 of 2