IBM AS400 Security Procedures

Auditor(s) Assigned Audit Date

Workpaper

Audit Objectives and Procedures Ref. By

________________________________________________________________________________________________________

F.

Physical Security 1. 2.

Verify that the building is protected by an automatic fire extinguishing system, appropriate to the environment.

Verify that the computer room is equipped with appropriate classes and sufficient number of clearly visible fire extinguishers. Determine whether there are sufficient fire and smoke alarms appropriate to the environment.

Ensure that all exits and evacuation routes are clearly marked. Ensure that smoking is prohibited in the computer room. Document the provisions made to detect and report fires on a timely basis.

Review provisions for preventing water damage to the equipment. Verify that the computer room is accessible to only authorized personnel.

Document computer room layout and location of all major hard- ware components.

Document the procedures in place for notifying security when an employee is no longer allowed access to the building.

Review established emergency procedures for the data center, which should include at a minimum: a. b. c.

Turning off data processing equipment.

Turning off electrical power to the computer room. Evacuation of personnel.

3.

4.

5.

6.

7.

8. 9.

10.

11.

12.

13.

Review procedures for maintenance of appropriate temperature levels, periodic maintenance/inspection of equipment.

F/PROG

Page 1 of 1

PHYSICAL SECURITY

Ensure that all emergency procedures have been posted or distributed to all personnel.

8

Auditor(s) Assigned Audit Date

Workpaper

Audit Objectives and Procedures Ref. By

________________________________________________________________________________________________________

G.

Backup Procedures

1.

Obtain a copy of the formal backup schedule for creating copies of production program and data files.

2.

Describe how the company determines which files are to be saved and how often. Also, describe the number of generations of files kept.

3. Describe backup procedure for the following:

a.

Production programs and procedures for both source and object code.

b.

Systems documentation.

c.

Operating system or other software.

4.

Verify that the frequency of backups is appropriate for the environment.

5.

Describe the secured area designated for on-site storage of backup media.

6.

Document who has authorized access to on-site backup area.

7.

Describe the off-site storage facility and the contents.

8.

Ensure that access to the off-site storage facility is restricted to only authorized personnel. List their names and functions.

9.

Review the arrangement for a computer backup site, for appropriate telecommunications facilities, operating systems, etc.

BACKUP PROCEDURES

G/PROG

9

Page 1 of 1

Auditor(s) Assigned Audit Date

Workpaper

Audit Objectives and Procedures Ref. By

________________________________________________________________________________________________________

Testing (Backup Procedures)

1. Select a critical application to be tested based on the scope of

the review.

2. Obtain a current backup schedule for the programs and data files

selected.

3. Identify critical files used with this application on the Volume

Table Of Contents (VTOC) listing.

4. Trace files on the VTOC to the backup schedule.

5. Locate backup files in on-site storage.

6. Verify that dates on backup media agree with backup schedule.

7. Locate backup files on off-site storage. 8. Verify that dates on backup media agree with backup schedule. 9. Describe the contents of off-site storage facility.

BACKUP PROCEDURES G/TEST

10

Page 1 of 1

Auditor(s) Assigned Audit Date

Workpaper

Audit Objectives and Procedures Ref. By

________________________________________________________________________________________________________

H. Disaster Recovery 1. Obtain a formal copy of the company's current disaster recovery plan.

2.

Obtain the company's list of employees and vendors to be contacted in the event of an emergency.

3.

Describe the method and extent of user involvement in the creation and maintenance of the plan.

4.

Ensure that all critical systems have been identified.

5.

Review interim manual procedures, prepared for users to continue processing critical transactions, for completeness.

6.

Review the documented results from the test of the disaster recovery plan.

7.

Review the disaster recovery plan for completeness. Some items to be considered in the review are: a.

Possible alternate processing sites.

b.

Alternate sites tested at least annually.

c.

Agreement exist for the use of the alternate sites.

d.

Availability of peripheral equipment.

e.

Defining critical systems to be processed.

f. Ability to process without key personnel.

g.

Ability to adapt plan to lesser disasters.

DISASTER RECOVERY

H/PROG

11

Page 1 of 1