GAO Federal Information System Controls Audit Manual (FISCAM) 表
こんにちは、丸山満彦です。FISCAMを表にしてみました。。。J-SOXのIT全般統制やIT業務処理統制を考える上でも参考になりますね。。。
|
3.1.
Security Management (SM) |
|||
|
SM-1 |
Establish
a Security Management Program |
SM-1.1 |
The
security management program is adequately documented, approved, and up-todate |
|
|
|
SM-1.2 |
A
security management structure has been established |
|
|
|
SM-1.3 |
Information
security responsibilities are clearly assigned |
|
|
|
SM-1.4 |
Subordinate
security plans are documented, approved, and kept up-to-date |
|
|
|
SM-1.5 |
An
inventory of systems is developed, documented, and kept up-to-date |
|
SM-2 |
Periodically
assess and validate risks |
|
|
|
SM-3 |
Document
and implement security control policies and procedures |
|
|
|
SM-4 |
Implement
effective security awareness and other security-related personnel policies |
SM-4.1 |
Ensure
that resource owners, system administrators, and users are aware of security
policies |
|
|
|
SM-4.2 |
Hiring,
transfer, termination, and performance policies address security |
|
|
|
SM-4.3 |
Employees
have adequate training and expertise |
|
SM-5. |
Monitor
the effectiveness of the security program |
|
|
|
SM-6. |
Effectively
Remediate Information Security Weaknesses |
|
|
|
SM-7. |
Ensure
that Activities Performed by External Third Parties are Adequately Secure |
|
|
|
3.2.
Access Controls (AC) |
|||
|
AC-1 |
Adequately
protect information system boundaries |
AC-1.1 |
Appropriately
control connectivity to system resources |
|
|
|
AC-1.2 |
Appropriately
control network sessions |
|
AC-2. |
Implement
effective identification and authentication mechanisms |
AC-2.1 |
Users
are appropriately identified and authenticated |
|
AC-3. |
Implement
effective authorization controls |
AC-3.1 |
User
accounts are appropriately controlled |
|
|
|
AC-3.2 |
Processes
and services are adequately controlled |
|
AC-4. |
Adequately
protect sensitive system resources |
AC-4.1 |
Access
to sensitive system resources is restricted and monitored |
|
|
|
AC-4.2 |
Adequate
media controls have been implemented |
|
|
|
AC-4.3 |
Cryptographic
controls are effectively used |
|
AC-5. |
Implement
an effective audit and monitoring capability |
AC-5.1 |
An
effective incident response program is documented and approved |
|
|
|
AC-5.2 |
Incidents
are effectively identified and logged |
|
|
|
AC-5.3 |
Incidents
are properly analyzed and appropriate actions taken |
|
AC-6. |
Establish
adequate physical security controls |
AC-6.1 |
Establish a physical security
management program based on risk |
|
|
|
AC-6.2 |
Establish
adequate perimeter security based on risk |
|
|
|
AC-6.3 |
Establish
adequate security at entrances and exits based on risk |
|
|
|
AC-6.4 |
Establish
adequate interior security based on risk |
|
|
|
AC-6.5 |
Adequately
protect against emerging threats based on risk |
|
3.3.
Configuration Management (CM) |
|||
|
CM-1 |
Develop
and document CM policies, plans, and procedures |
|
|
|
CM-2 |
Maintain
current configuration identification information |
|
|
|
CM-3 |
Properly
authorize, test, approve, track, and control all configuration changes |
|
|
|
CM-4 |
Routinely
monitor the configuration |
|
|
|
CM-5. |
Update
software on a timely basis to protect against known vulnerabilities |
|
> Vulnerability
scanning> Patch management |
|
>
Virus protection |
|||
|
>
Emerging threats |
|||
|
>
Noncurrent software |
|||
|
>
Software usage |
|||
|
CM-6 |
Appropriately
document and approve emergency changes to the configuration |
|
|
|
3.4.
Segregation of Duties (SD) |
|||
|
SD-1 |
Segregate
incompatible duties and establish related policies |
SD-1.1 |
Incompatible
duties have been identified and policies implemented to segregate these
duties |
|
|
|
SD-1.2 |
Job
descriptions have been documented |
|
|
|
SD-1.3 |
Employees
understand their duties and responsibilities |
|
SD-2 |
Control
personnel activities through formal operating procedures, supervision, and
review |
SD-2.1 |
Formal
procedures guide personnel in performing their duties |
|
|
|
SD-2.2 |
Active
supervision and review are provided for all personnel |
|
3.5. Contingency
Planning (CP) |
|||
|
CP-1 |
Assess
the criticality and sensitivity of computerized operations and identify
supporting resources |
CP-1.1 |
Critical
data and operations are identified and prioritized |
|
|
|
CP-1.2 |
Resources
supporting critical operations are identified and analyzed |
|
|
|
CP-1.3 |
Emergency
processing priorities are established |
|
CP-2 |
Take
steps to prevent and minimize potential damage and interruption |
CP-2.1 |
Data
and program backup procedures have been implemented |
|
|
|
CP-2.2 |
Adequate
environmental controls have been implemented |
|
|
|
CP-2.3 |
Staff
have been trained to respond to emergencies |
|
|
|
CP-2.4 |
Effective
hardware maintenance, problem management, and change management help prevent
unexpected interruptions |
|
CP-3 |
Develop
and document a comprehensive contingency plan |
CP-3.1 |
An
up-to-date contingency plan is documented |
|
|
|
CP-3.2 |
Arrangements
have been made for alternate data processing, storage, and telecommunications
facilities |
|
CP-4 |
Periodically
test the contingency plan and adjust it as appropriate |
CP-4.1 |
The
plan is periodically tested |
|
|
|
CP-4.2 |
Test
results are analyzed and the contingency plan is adjusted accordingly |
Business Process Application Controls
|
4.1.
Application Level General Controls (AS) |
|||
|
AS-1 |
Implement
effective application security management. |
|
Establish
an application security plan |
|
Periodically
assess and validate application security risks |
|||
|
Document
and implement application security policies and procedures |
|||
|
Implement
effective security awareness and other security-related personnel policies |
|||
|
Monitor
the effectiveness of the security program Effectively remediate information
security weaknesses |
|||
|
Ensure
that activities performed by external third parties are adequately secure |
|||
|
AS-2 |
Implement
effectiveapplication access controls |
|
Adequately
protect application boundaries |
|
Implement
effective identification and authentication mechanisms |
|||
|
Implement
effective authorization controls |
|||
|
Adequately
protect sensitive application resources |
|||
|
Implement
an effective audit and monitoring capability |
|||
|
Establish
adequate physical security controls |
|||
|
AS-3 |
Implement
effective application configuration management |
|
|
|
AS-4 |
Segregate
user access to conflicting transactions and activities and monitor |
|
|
|
AS-5 |
Implement
effective application contingency planning |
|
Assess
the criticality and sensitivity of the application |
|
Take
steps to prevent and minimize potential damage and interruption |
|||
|
Develop
and document an application contingency plan |
|||
|
Periodically
test the contingency plan and adjust it as appropriate |
|||
|
4.2.
Business Process Controls (BP) |
|||
|
BP-1 |
Transaction
Data Input is complete, accurate, valid, and confidential |
(Transaction
Data Input Controls) |
Implement
an effective transaction data strategy and design Establish Input Preparation
(approval and review) Policies and Procedures |
|
Build
Data Validation and Edits within the Application |
|||
|
Implement
Effective Auditing and Monitoring Capability |
|||
|
BP-2 |
Transaction
Data Processing is complete, accurate, valid, and confidential |
(Transaction
Data Processing Controls) |
Formal
Transaction Processing Procedures |
|
Effective
auditing and monitoring capability |
|||
|
BP-3 |
Transaction
data output is complete, accurate, valid, and confidential |
(Transaction
Data Output Controls) |
Implementing
a reporting strategy |
|
Establishing
security and controls over report generation and distribution |
|||
|
BP-4 |
Master Data Setup and
Maintenance is Adequately Controlled |
|
Implementing
an effective design of master data elements |
|
Establishing
master data maintenance procedures, including approval, review, and adequate
support for changes to master data |
|||
|
Implementing
an effective auditing and monitoring capability |
|||
|
4.3.
Interface Controls (IN) |
|||
|
IN-1 |
Implement
an effective interface interface strategy and design. |
|
|
|
IN-2 |
Implement
effective processing procedures |
|
|
|
4.4
Data Management System Controls (DA) |
|||
|
DA-1 |
Implement
an Effective Data Management System Strategy and Design |
|
Key
Concepts - Database Management Systems |
|
Authentication/Authorization |
|||
|
SQL
Commands |
|||
|
System,
Role, Object Privileges |
|||
|
Stored
Procedures |
|||
|
Key
Concepts – Middleware |
|||
|
Middleware
Controls |
|||
|
Key
Concepts – Cryptography |
|||
|
Key
Concepts – Data Warehouse, Data Reporting and Data Extraction Software |
|||
|
Segregation
of Duties |
|||
The comments to this entry are closed.
Comments
丸山さん
ご無沙汰してます。いぜん、COBIT4.0の翻訳レビュー(DS担当)で、お世話になった上原です。
ところで、まるちゃん!あなたはえらい!。。。だけど、つま○○さんの主催する例の会にもぜひ参加してください。なんせ場所はいっしょですから、いつでもお待ちしております。詳しくは、つま○○さんまで。
調査研究(上原)@先日、名古屋支部でお世話になってまいりました(5月度月例会)。次回は、ぜひ、大阪支部で!?
Posted by: 上原一浩 | 2009.05.30 00:59
上原一浩さん、コメントありがとうございます。
例の勉強会ですね。できる限り協力できるよう考えてみます。
Posted by: 丸山満彦 | 2009.06.01 09:02