| Control ID |
Control Description |
Coverage in CDP |
|---|
| ITGC01.Information Security Policies and Standards |
- An Information Security Management System (ISMS) plan and policy exists and has been approved by Executive Management.
- Control activities: Information Security policies and standards are documented/updated and reviewed/signed-off by Executive Management on a periodic basis.
- Information Security policies and standards are communicated to the appropriate personnel and training is conducted
|
- Covered in Continuous Exploration
|
| ITGC02.Information Security Policies and Standards Compliance Management |
The enterprise has processes to monitor compliance with Information Security policies and standards.
Note: Overall security review with involvement of IT Security team before a release.
Control activities:
Non-compliance to Information Security policies and standards is monitored, tracked and are reported on
Non-compliance to Information Security policies and standards are actioned by the business and/or IT owner(s) based on risk and impact to the organization
|
Covered in Continuous Integration
|
| ITGC03.Development Methodology |
The organization has a solution development methodology that contains a set of requirements, which includes security and processing integrity controls, that are adhered to throughout the solution development lifecycle.
The solution development methodology is documented/updated and reviewed/signed-off by the IT owner(s) on a periodic basis
The solution development methodology requires that any changes identified will be authorized and prioritized by business owners and aligned to quarterly objectives and desired business outcomes
The solution development methodology requires planning for the ongoing maintenance of the systems/solutions developed
The solution development methodology requires defining new and changed IT services and service levels of developed systems/solutions
The solution development methodology requires initiative closure and acceptance be performed by the business owner for work having a defined start and end date. For work delivered through agile continuous delivery, the business owner accepts all changes and authorizes them at production release
The solution development methodology requires defining new and changed IT services and service levels of developed systems/solutions
The solution development methodology requires initiative closure and acceptance be performed by the business owner for work having a defined start and end date. For work delivered through agile continuous delivery, the business owner accepts all changes and authorizes them at production release
|
Activities 1 & 2 are covered in Continuous Integration
Activities 3, 4 ,5, 6 & 7 are covered in [new] Continuous Deployment
|
| ITGC04.Application Controls |
The solution development methodology through architectural and security practices includes requirements that information systems are designed with to include application controls that support complete, accurate, authorized and valid transaction processing.
Control activities:
Requirements for configuration/calculation/exception handling application and system controls are defined and built into solutions that support complete, accurate, authorized and valid transaction processing
Interface validation mechanisms are defined and built into solutions to support completeness, accuracy and timeliness of data being transferred between system
Access control mechanisms are defined and built into solutions to ensure that access to systems, functionality and data is restricted to authorized personnel only
|
Activity 1 is covered in Continuous Exploration
Activity 2 & 3 are covered in Continuous Integration
|
| ITGC05.User Involvement |
The enterprise has a solution development methodology that defines and maintains business functional and technical requirements that are endorsed by all stakeholders.
Control activities:
Product/business owner(s) review and authorize/approve all work/requirements as part of quarterly planning
Product/business owner(s) review and authorize/approve the final choice of solution, acquisition approach and high-level design, aligned to the desired business outcome. This is achieved through the quarterly planning process
Product/business owner(s) review and authorize/approve User Acceptance Testing (UAT) results
|
Activity 1 & 2 are covered in Continuous Integration
Activity 3 is covered in [new] Continuous Deployment
|
| ITGC06.Compliance with Development Methodology |
The organization has a solution development methodology that contains a set of requirements, which includes security and processing integrity controls, that are adhered to throughout the system development lifecycle.
Control activities:
In-house IT developments (including infrastructure) and/or procured systems comply with the solution development methodology
|
Covered in Continuous Integration
|
| ITGC07.Change Management |
Requests for program changes and system changes (including maintenance) are standardized, logged, evaluated, prioritized and approved. The enterprise maintains a change management repository to track all requested changes, including the status of approved, in-progress and closed changes. IT Management implements system software that does not jeopardize the security of programs or the integrity of data stored on the system. Post-implementation reviews are conducted to confirm outcomes and results.
Control activities:
The Change Management process/procedures are documented/updated and reviewed/signed-off by the IT owner(s) on a periodic basis
All change requests are documented/logged in a change management repository which includes the description of change. The implementation plan and a backout plan are required for teams with system limitations and not able to follow risk-based automated deployments as documented in the solution development methodology.
All changes are authorized by the business and/or IT owner(s) or designates(s) and medium/high risk changes are reviewed in the weekly Change/Technical Advisory Boards (CAB /TAB)
All changes are tested in a non-production environment prior to production implementation. In cases where testing in a non-production environment is not possible, this is documented within the RFC
Post-implementation validation is conducted and validation results are reviewed
|
Activity 5 is covered in Release on Demand
Rest of the actions are covered in Continuous Integration & Continuous Deployment
|
| ITGC08.Emergency Change Management |
Emergency change requests are documented and subject to formal change management procedures. A post-implementation review is conducted to confirm outcomes and results.
Control activities:
All emergency change requests are documented/logged in a change management repository which includes the description of the emergency change
The Emergency Change Management process/procedures are documented/updated and reviewed/signed-off by the IT owner(s) on a periodic basis
Emergency changes are authorized by the business and/or IT owner(s) or designates(s). Authorization is automated for teams following risk-based automated deployments.
Post-implementation validation for emergency changes validation results are reviewed
|
Activities 1,2 & 3 are covered in Continuous Integration
Activity 4 is covered in Continuous Deployment
|
| ITGC09.Promotion to Production |
A process is established to restrict access to authorized individuals functions only for the migration of accepted solutions/software releases into production.
Control activities:
Promotion to production process/procedures are documented/updated and reviewed/signed-off by the IT owner(s) on a periodic basis, for each system with a procedural SOD in place
Proper segregation of duties is established between staff functions responsible for program development, promoting changes to production, and IT operational support
|
Highlighted action is covered in Continuous Deployment & Release on Demand
First action is covered in Continuous Exploration
|
| ITGC10.Testing |
A test strategy must be followed which includes testing scope, goals, approach, tools, roles, environments, test exit criteria and timing of test activities. It takes into consideration testing requirements including security, architectural design, internal controls and privacy.
Control activities:
Testing artificats are prepared which include test design, test cases/steps, test coverage, test issues, expected and actual results.
Testing is executed in accordance with the test
strategy, testing artifacts are retained and testing results are reviewed and authorized/approved by the business and IT owners(s) prior to production implemention
|
Covered in Continuous Integration
|
| ITGC11.System Interfaces |
A test strategy must be followed which includes systems interface testing and is established to ensure data transmissions are complete, accurate and valid. It takes into consideration environments, security, internal controls and privacy.
Control activities:
Systems interface testing artificats are prepared which include test design, test cases/steps, test coverage, test issues, expected and actual results
Systems interface testing is conducted in non-production environments (source and destination), testing artifacts are retained and test results are reviewed and authorized/approved by the business and IT owner(s) prior to production implementation
|
Covered in Continuous Exploration and Continuous Integration
|
| ITGC12.Data Conversion and Migration |
A test strategy must be followed which includes includes system and data conversion/migration testing and is established to ensure data coversion/migration is complete, accurate and valid. It compares original and converted data including audit trails and a recovery plan if conversion/migration fails and takes into consideration security, internal controls and privacy.
Control activities:
Data conversion/migration testing artifacts are prepared which include test design, test cases/steps, test coverage, test issues, expected and actual results.
Data conversion/migration testing which includes comparing original and converted/migrated data (e.g. record counts, validation of financial integrity, etc.) is conducted, testing artifacts are retained and test results are reviewed and authorized/approved by the business owner(s) prior to production data conversion/migration
|
Covered in Continuous Exploration & Continuous Integration
|
| ITGC13.Configuration Management and Monitoring of Configuration Change |
A process is established for implementing and maintaining security configurations, and for monitoring security configuration changes.
Control activities:
Security configuration management process/procedures are documented/updated and reviewed/signed-off by the IT owner(s) on a periodic basis
Systems are configured in accordance with security configuration baselines/standards
Changes to security configurations are monitored, and deviations are followed-up on and resolved
|
Highlighted action is covered in Release on Demand
|
| ITGC14.Job Scheduling and Monitoring |
IT Management has documented and established IT operational procedures, including job scheduling changes/events and incident management processes, to ensure the integrity of batch processing.
Control activities:
IT operational procedures are documented/updated and reviewed/signed-off by the IT owner(s) on a periodic basis
Job schedules are maintained and batch/backup jobs are monitored
Job failures are documented, followed-up on and resolved
|
Highlighted action is covered in Release on Demand
|
| ITGC15.Incident Management |
IT Management has defined and implemented an incident management system such that operational issues, data integrity issues and security-related issues are recorded, analyzed, resolved in a timely manner and reported to Management.
Control activities:
The incident management process is documented/updated and reviewed/signed-off by the IT owner(s) on a periodic basis
Incidents are documented/logged within an incident management repository which include the description of the incident, incident analysis/diagnostics, resolution steps, historical activity and response time
Incidents are assigned a priority level based on risk and impact to the organization
Incidents are escalated in accordance with the incident management process
Incidents are resolved on a timely basis (based on incident management process documentation) and incident tickets are closed upon verification from or with notification to the affected user(s)
Service Management reports are reviewed and signed-off by the IT owner(s) on a monthly basis
|
All actions are covered in Release on Demand
|
| ITGC16.Problem Management |
IT Management has defined and implemented a problem management system such that operational issues, data integrity issues and security-related issues are recorded, analyzed, resolved in a timely manner and reported to Management.
Control activities:
The problem management process is documented/updated and reviewed/signed-off by the IT owner(s) on a periodic basis
Problems are documented/logged within a problem management repository which include the problem description, historical activity, root cause analysis and resolution steps
Note: Problems identified through incidents, have corresponding incident tickets referenced
Problems are assigned a priority level based on risk and impact to the organization
Problems are resolved and problem tickets are closed
Service Management reports are reviewed and signed-off by the IT owner(s) on a monthly basis
|
All actions are covered in Release on Demand
|
| ITGC17.Backup Monitoring |
IT Management has implemented a strategy for cyclical backup of data and programs.
Control activities
Backup and Recovery procedures are documented/updated and reviewed/signed-off by the IT owner(s) on a periodic basis
Application, platform/server and database backups are performed on a scheduled basis based on backup and recovery requirements
Backup jobs are monitored to ensure that the jobs run to completion without errors
Backup job failures are documented, followed-up on and rectified based on business requirements
Backup media are stored at an off-site location
|
All actions are covered in Release on Demand
|
| ITGC18.Backup Media Testing |
The restoration of information is periodically tested.
Control activities:
The backup media testing process is documented/updated and reviewed/signed-off by the IT owner(s) on a periodic basis
Testing of the restoration from backup media is conducted periodically and test results are reviewed and signed-off by the IT owner(s)
|
All actions are covered in Release on Demand
|
| ITGC20.Security Event Monitoring |
IT Security monitors and logs security activity at the network, platform/server, and database levels and identified security violations are reported to Management.
Control activities:
Security Information and Event Management (SIEM) process/procedures are documented/updated and reviewed/signed-off by the IT owner(s) on a periodic basis
Security logging is enabled at the network, platform/server and database levels and complies with Information Security standards
Security logs are sent to the SIEM tool for monitoring, and security events are assessed to determine if they are security violations
Security violations are documented/logged which include the description of the security violation, analysis/diagnostics, resolution steps, historical activity and response time
Security violations are followed-up on, resolved by IT Security and reported to Management
|
All actions are covered in Release on Demand
|
| ITGC21.User Access Provisioning/23.Segregation of Duties |
Procedures exist and are followed relating to timely action for requesting, granting, suspending and closing user accounts. Controls relating to appropriate segregation of duties (SoD) over requesting and granting access to systems and data exist and are followed.
Control activities:
Identity and Access Management process/procedures are documented/updated and reviewed/signed-off by the IT owner(s) on a periodic basis
User access to networks, applications, platforms/servers and databases are requested, documented and approved by the business and/or IT owner(s)
User access is provisioned in accordance with roles and responsibilities, and proper segregation of duties exists for requesting and granting access to systems and data
User account terminations are processed on a timely basis
|
All actions are covered in Release on Demand
|
| ITGC24.Threat and Vulnerability Management |
Appropriate controls, including firewalls, intrusion prevention/detection systems and vulnerability assessments, exist and are used to prevent and detect unauthorized access to information assets.
Control activities:
Networks are protected utilizing firewalls and intrusion prevention/detection systems
Anti-malware software is deployed, virus definitions are up-to-date, and scans are performed to detect malware on the networks, platforms/servers and workstations
Vulnerability scans and assessments are performed on a periodic basis
Network penetration testing is performed on a periodic basis
Vulnerability assessment and penetration testing results are documented, reviewed and signed-off by the IT owner(s)
Vulnerability assessment and penetration testing issues are followed-up on, investigated and resolved based on risk and impact to the organization
System security software/patches are applied in a timely manner
|
All actions are covered in Release on Demand
|
