Policy, Standards, Regulations & Compliance
Back to list
Advise on Internal Control Policies
Sep 19 2007 06:46PM
mr nasty ix netcom com
This is almost a case study. This is a relatively small shop with about 10 people in the entire IT which includes three managers, three development IT, 1 security, two sysadmins and one assistant admin, 1 tester, 1 mgr who really isn't IT and only does one small administrative job concerning IT.
I am in need of some basic advice on establishing an internal controls policy. I'm aware of what is required but I feel like I'm swimming upstream.
Mgmt has decided to utilize bugzilla, rdist and cvs to establish the internal controls procedure for our code modification (development phase), testing (phase) and production (phase).
The problem started due to an IT audit which indicated we didn't have any policy or regulatory requirements, (which is true). Our shop generates nice hundred mill in revenues annually.
The computer room is open to eight of the ten same IT people, this does not include security. These same people have direct (root) access to all the boxes remotely (including VPN) and the computer room. In the past they fix problems as they occur. No procedure no controls. Our company is service based and bills through the web.
The computer room has motion sensor video which is reviewed by the two sysadmins.
At any time any one of these eight people who have direct access to the code, the os, the data and the hardware can change the web interface to divert payments to an anonymous bank account over the weekend, come in Monday and remove the billing from the database while it gets reconciled and add it back afterwards.
I'm not saying they do this I'm just saying that it can be done with ease since they have access to all this information. My problem is that by using bugzilla as our internal control procedure they have mixed interpretations over what is bugzilla. Although they would like to use it as the IC procedure they also only would like to use it for reporting bugs only, hence the name bugzilla.
But when I try to figure out how bugzilla along with cvs and rdist are going to provide us with a method they insist that it will take care of the SDLC (system dev life cycle).
I've suggested third party software to do this only because it would establish a control for data integrity. If we control the controls then we can manipulate the end result, using bugzilla I feel the data could not be relied upon.
and assistance, comment or criticisms would be helpful.
[ reply ]
RE: Advise on Internal Control Policies
Sep 19 2007 10:16PM
Jason Bevis FOUNDSTONE COM
Copyright 2010, SecurityFocus