IT_General_Requiremen

GeneralRequirementforGeneralComputerControlsReview概要信息文档NetworkDiagram;网络拓扑图CriticalServerHardwareListincludingModel,O/Sversionandnameofoutsourcedvendorsupport;主要服务器的硬件列表，包含其型号、操作系统、购买日期和供应商名称等关键信息MajorApplicationSystemincludingsoftwarenameandnameofoutsourcedvendorsupport.主要应用系统的软件列表，包含其名称、购买日期与外部服务商名称等关键信息Wewillbeappreciatedifyoucanpreparethefollowingdocumentations(ifany)beforethecommencementofourannualgeneralcomputercontrolsreview.此外根据我们本次审核的范围，还需要贵公司提供以下文档(如不适用则略过)：1)InformationResourceStrategyandPlanning信息资源战略和计划Organisation组织结构Documentationregardingdepartmentaland/orjobfunction/responsibility.与部门或工作的职能和责任有关的文件Consistenttotheentity’sbusinessandstrategicgoals实体业务和战略目标的一致性Informationsystemsstrategiesandlong-andshort-termplans;信息系统战略以及长、短期计划Currentbusinessstrategy.当前业务战略MISPersonnelTrainingandRecruitment管理信息系统人员的培训和招聘Trainingmaterials;培训材料Pre-definedMISpersonnelqualificationsandrequirements.既定的管理信息系统人员的资格和要求2)InformationSystemOperations信息系统运作Monitoringofprocessing/Authorizationofschedules监控处理/时间表的授权Operationalmanual;运作手册Detailsoftheday-to-dayoperationjobschedule;详细的日常操作工作时间表Joblogs(samplesonly);工作日志(仅需样本)Logforexceptionstonormalprocessing;正常处理的例外情况日志Documentaryevidenceofmanagementreview.管理层审核的有关文件Backupschedulesandretention备份时间表和留存资料Backupschedule;备份时间表Backuplog;备份日志Documentaryevidenceregardingthetestingofon-goingreadabilityofbackupandretaineddata;与备份及保留数据的测试有关的文件Physicalsecurityforbackupmedia;备份媒体的物理安全Anyoff-sitebackuparrangement.异地备份安排Monitoringservicelevels服务水平监控Reportsforperformanceandcapacityutilizationofthecomputersystem;计算机系统性能和容量利用报告Servicelevelagreementswithaffectedparties;有关部门的服务水平协议Documentaryevidenceregardingmonitoringofservicelevels.与服务水平监控有关的文件UserTraining用户培训Proceduresfortrainingtousers;用户培训程序Usermanuals(samplesonly).用户手册(仅需样本)Helpdesk/Problemresolution帮助/问题解决Detailsofhelpdeskarrangement;帮助的具体安排Problemlogs(samplesonly);问题日志(仅需样本)Problemstatisticsprovidedtomanagement;给管理层的问题统计Agreementswithoutsidecontractorsorsoftwarevendorsforsupportservices.与外部承包人或软件供应商鉴定的有关支持服务的协议3)InformationSecurity信息安全General概况Informationsystemsecuritypolicies,procedures,standardand/orguidance;信息系统安全政策、程序、标准或指导Securityandinternalcontrolframework;安全和内部控制框架Systemssecurityconfigurationreports信息安全设置报告Logicalsecurity逻辑安全RACFsecuritysettings(separaterequestlistingwillbeprovidedduringourreview);RACF安全设置(在审核中将提供单独的所需材料清单)SecuritysettingsofdistributedenvironmentssuchasUnix,OS/400,WindowsNTandNovellNetware,ifavailable(ourDTTproprietaryautomatedtoolwillbeusedtoperformsuchreview);操作环境的安全设置，例如：Unix,OS/400,WindowsNT和NovellNetware(如果可能，我们DTT拥有的自动工具将提供相关的审核)Policyandproceduresregardingthecreation,alterationanddeletionofusersaccessauthorityovertheoperatingsystemlevel,applicationlevelanddatabaselevel;与创建、变更和删除用户对操作系统及数据库的访问、应用权限有关的政策和程序Userprofilelistingsofoperatingsystems,applicationsystemsanddatabasesystems;操作系统、应用系统和数据库系统的用户文档清单Documentaryevidenceregardingmonitoringofvalidityofusersprofilelistings.与用户文档清单有效性的监控有关的文件Physicalsecurityandenvironmentalcontrols物理安全和环境控制Restrictedareaaccesspolicies,procedures,standardsandguidance;限制区的进入政策、程序、标准和指导Policyandproceduresregardingtheadministrationofphysicalsecurity;与物理安全管理有关的政策和程序Accesscontrolmechanismmonitoringlogs;进入控制机制的监控日志Listofpersonnelwhohaveaccesstotherestrictedareas;有限制区进入权的人员名单Inventorylogsofaccesskeys,cardsandetc.fortherestrictedareas.进入限制区的钥匙、门卡等清单Virusprotection病毒保护Policy,procedures,standardsandguidancerelatingtovirusscanningofthenetworkandupdatingofvirussignaturelists;与网络病毒扫描和病毒库更新有关的政策、程序、标准和指导Listofanti-virussoftwareinuse;在用的反病毒软件清单Communicationtousersregardingthepolicy;针对既定的病毒防护政策，与用户进行相应沟通的文档记载Scheduleofvirusscans;病毒扫描时间表Resultingreportsfromvirusscans.病毒扫描的结果报告Softwareassetmanagement软件资产管理Policy,procedures,standards,andguidanceregardingpurchasing,approving,loading,andusingsoftware;与软件的购买、安装审批和使用有关的政策、程序、标准和指导Listingofsoftwareinventory;软件清单Approvedsoftwarelistand/orcriteria;正式的软件采购列表的及审批标准Documentationofsoftwareuseversusinventorycomparisonprocess;现用软件与公司已购买软件的对比列表Proofofownershipofsoftware(sampleonly).软件使用权的证据(仅需样本)4)ApplicationSystemsImplementationandMaintenance应用系统实施和维护General概况Systemdevelopmentmethodology;信息发展方法Listingofapplicationdevelopmentprojectsorlistingofapplicationsystemschangedduringtheyear.应用系统发展项目或年内应用系统变化的清单Approvalofapplicationsystemsacquisitionanddevelopment应用系统取得和发展的审批Policies,procedures,standards,andguidanceregardingmanagementapprovalofdevelopmentprojectsandsoftwareacquisitions;发展项目和软件需求审批的政策、程序、标准和指导Projectapproval,purchaserequestandauthorizationdocumentation;(sampleonly);项目审批、采购需求和文件授权(仅需样本)Projectplan;(sampleonly);项目计划(仅需样本)Projectimplementationschedules(sampleonly).项目实施时间表(仅需样本)Testingofapplicationsystemsimplementation应用系统实施的测试Formaltestplanwhichcoverssystemandunittesting,paralleltesting,interfacetestinganduseracceptancetest;正规的测试计划，包括单元测试、并行测试、接口测试和用户接受测试PolicyandprocedureforDataConversionTesting;数据转换测试的政策和程序DataConversionexceptionreports(sampleonly).数据转换例外报告(仅需样本)SystemChangeManagem