« 内閣官房 パブコメ 「セキュア・ジャパン2009」(案) | Main | 総務省 クラウドコンピューティング時代のデータセンター活性化策に関する検討会 »

2009.05.09

GAO Federal Information System Controls Audit Manual (FISCAM) 表

 こんにちは、丸山満彦です。FISCAMを表にしてみました。。。J-SOXのIT全般統制やIT業務処理統制を考える上でも参考になりますね。。。

3.1. Security Management (SM)

SM-1

Establish a Security Management Program

SM-1.1

The security management program is adequately documented, approved, and up-todate

 

 

SM-1.2

A security management structure has been established

 

 

SM-1.3

Information security responsibilities are clearly assigned

 

 

SM-1.4

Subordinate security plans are documented, approved, and kept up-to-date

 

 

SM-1.5

An inventory of systems is developed, documented, and kept up-to-date

SM-2

Periodically assess and validate risks

 

 

SM-3

Document and implement security control policies and procedures

 

 

SM-4

Implement effective security awareness and other security-related personnel policies

SM-4.1

Ensure that resource owners, system administrators, and users are aware of security policies

 

 

SM-4.2

Hiring, transfer, termination, and performance policies address security

 

 

SM-4.3

Employees have adequate training and expertise

SM-5.

Monitor the effectiveness of the security program

 

 

SM-6.

Effectively Remediate Information Security Weaknesses

 

 

SM-7.

Ensure that Activities Performed by External Third Parties are Adequately Secure

 

 

3.2. Access Controls (AC)

AC-1

Adequately protect information system boundaries

AC-1.1

Appropriately control connectivity to system resources

 

 

AC-1.2

Appropriately control network sessions

AC-2.

Implement effective identification and authentication mechanisms

AC-2.1

Users are appropriately identified and authenticated

AC-3.

Implement effective authorization controls

AC-3.1

User accounts are appropriately controlled

 

 

AC-3.2

Processes and services are adequately controlled

AC-4.

Adequately protect sensitive system resources

AC-4.1

Access to sensitive system resources is restricted and monitored

 

 

AC-4.2

Adequate media controls have been implemented

 

 

AC-4.3

Cryptographic controls are effectively used

AC-5.

Implement an effective audit and monitoring capability

AC-5.1

An effective incident response program is documented and approved

 

 

AC-5.2

Incidents are effectively identified and logged

 

 

AC-5.3

Incidents are properly analyzed and appropriate actions taken

AC-6.

Establish adequate physical security controls

AC-6.1

 Establish a physical security management program based on risk

 

 

AC-6.2

Establish adequate perimeter security based on risk

 

 

AC-6.3

Establish adequate security at entrances and exits based on risk

 

 

AC-6.4

Establish adequate interior security based on risk

 

 

AC-6.5

Adequately protect against emerging threats based on risk

3.3. Configuration Management (CM)

CM-1

Develop and document CM policies, plans, and procedures

 

 

CM-2

Maintain current configuration identification information

 

 

CM-3

Properly authorize, test, approve, track, and control all configuration changes

 

 

CM-4

Routinely monitor the configuration

 

 

CM-5.

Update software on a timely basis to protect against known vulnerabilities

 

> Vulnerability scanning> Patch management

> Virus protection

> Emerging threats

> Noncurrent software

> Software usage

CM-6

Appropriately document and approve emergency changes to the configuration

 

 

3.4. Segregation of Duties (SD)

SD-1

Segregate incompatible duties and establish related policies

SD-1.1

Incompatible duties have been identified and policies implemented to segregate these duties

 

 

SD-1.2

Job descriptions have been documented

 

 

SD-1.3

Employees understand their duties and responsibilities

SD-2

Control personnel activities through formal operating procedures, supervision, and review

SD-2.1

Formal procedures guide personnel in performing their duties

 

 

SD-2.2

Active supervision and review are provided for all personnel

3.5. Contingency Planning (CP)

CP-1

Assess the criticality and sensitivity of computerized operations and identify supporting resources

CP-1.1

Critical data and operations are identified and prioritized

 

 

CP-1.2

Resources supporting critical operations are identified and analyzed

 

 

CP-1.3

Emergency processing priorities are established

CP-2

Take steps to prevent and minimize potential damage and interruption

CP-2.1

Data and program backup procedures have been implemented

 

 

CP-2.2

Adequate environmental controls have been implemented

 

 

CP-2.3

Staff have been trained to respond to emergencies

 

 

CP-2.4

Effective hardware maintenance, problem management, and change management help prevent unexpected interruptions

CP-3

Develop and document a comprehensive contingency plan

CP-3.1

An up-to-date contingency plan is documented

 

 

CP-3.2

Arrangements have been made for alternate data processing, storage, and telecommunications facilities

CP-4

Periodically test the contingency plan and adjust it as appropriate

CP-4.1

The plan is periodically tested

 

 

CP-4.2

Test results are analyzed and the contingency plan is adjusted accordingly

 

Business Process Application Controls

4.1. Application Level General Controls (AS)

AS-1

Implement effective application security management.

 

Establish an application security plan

Periodically assess and validate application security risks

Document and implement application security policies and procedures

Implement effective security awareness and other security-related personnel policies

Monitor the effectiveness of the security program Effectively remediate information security weaknesses

Ensure that activities performed by external third parties are adequately secure

AS-2

Implement effectiveapplication access controls

 

Adequately protect application boundaries

Implement effective identification and authentication mechanisms

Implement effective authorization controls

Adequately protect sensitive application resources

Implement an effective audit and monitoring capability

Establish adequate physical security controls

AS-3

Implement effective application configuration management

 

 

AS-4

Segregate user access to conflicting transactions and activities and monitor

 

 

AS-5

Implement effective application contingency planning

 

Assess the criticality and sensitivity of the application

Take steps to prevent and minimize potential damage and interruption

Develop and document an application contingency plan

Periodically test the contingency plan and adjust it as appropriate

4.2. Business Process Controls (BP)

BP-1

Transaction Data Input is complete, accurate, valid, and confidential

(Transaction Data Input Controls)

Implement an effective transaction data strategy and design Establish Input Preparation (approval and review) Policies and Procedures

Build Data Validation and Edits within the Application

Implement Effective Auditing and Monitoring Capability

BP-2

Transaction Data Processing is complete, accurate, valid, and confidential

(Transaction Data Processing Controls)

Formal Transaction Processing Procedures

Effective auditing and monitoring capability

BP-3

Transaction data output is complete, accurate, valid, and confidential

(Transaction Data Output Controls)

Implementing a reporting strategy

Establishing security and controls over report generation and distribution

BP-4

Master Data Setup and Maintenance is Adequately Controlled

 

Implementing an effective design of master data elements

Establishing master data maintenance procedures, including approval, review, and adequate support for changes to master data

Implementing an effective auditing and monitoring capability

4.3. Interface Controls (IN)

IN-1

Implement an effective interface interface strategy and design.

 

 

IN-2

Implement effective processing procedures

 

 

4.4 Data Management System Controls (DA)

DA-1

Implement an Effective Data Management System Strategy and Design

 

Key Concepts - Database Management Systems

Authentication/Authorization

SQL Commands

System, Role, Object Privileges

Stored Procedures

Key Concepts – Middleware

Middleware Controls

Key Concepts – Cryptography

Key Concepts – Data Warehouse, Data Reporting and Data Extraction Software

Segregation of Duties


|

« 内閣官房 パブコメ 「セキュア・ジャパン2009」(案) | Main | 総務省 クラウドコンピューティング時代のデータセンター活性化策に関する検討会 »

Comments

丸山さん

ご無沙汰してます。いぜん、COBIT4.0の翻訳レビュー(DS担当)で、お世話になった上原です。

ところで、まるちゃん!あなたはえらい!。。。だけど、つま○○さんの主催する例の会にもぜひ参加してください。なんせ場所はいっしょですから、いつでもお待ちしております。詳しくは、つま○○さんまで。

調査研究(上原)@先日、名古屋支部でお世話になってまいりました(5月度月例会)。次回は、ぜひ、大阪支部で!?

Posted by: 上原一浩 | 2009.05.30 at 00:59

上原一浩さん、コメントありがとうございます。
例の勉強会ですね。できる限り協力できるよう考えてみます。

Posted by: 丸山満彦 | 2009.06.01 at 09:02

The comments to this entry are closed.

TrackBack

TrackBack URL for this entry:
http://app.cocolog-nifty.com/t/trackback/64462/44951536

Listed below are links to weblogs that reference GAO Federal Information System Controls Audit Manual (FISCAM) 表:

« 内閣官房 パブコメ 「セキュア・ジャパン2009」(案) | Main | 総務省 クラウドコンピューティング時代のデータセンター活性化策に関する検討会 »