IT_General_Requiremen.doc

General Requirement for General Computer Controls Review概要信息文档 Network Diagram; 网络拓扑图 Critical Server Hardware List including Model, O/S version and name of outsourced vendor support; 主要服务器的硬件列表，包含其型号、操作系统、购买日期和供应商名称等关键信息 Major Application System including software name and name of outsourced vendor support. 主要应用系统的软件列表，包含其名称、购买日期与外部服务商名称等关键信息We will be appreciated if you can prepare the following documentations (if any) before the commencement of our annual general computer controls review. 此外根据我们本次审核的范围，还需要贵公司提供以下文档(如不适用则略过)：1) Information Resource Strategy and Planning信息资源战略和计划q Organisation组织结构 Documentation regarding departmental and/or job function/responsibility. 与部门或工作的职能和责任有关的文件q Consistent to the entitys business and strategic goals实体业务和战略目标的一致性 Information systems strategies and long- and short-term plans;信息系统战略以及长、短期计划 Current business strategy.当前业务战略q MIS Personnel Training and Recruitment管理信息系统人员的培训和招聘 Training materials;培训材料 Pre-defined MIS personnel qualifications and requirements.既定的管理信息系统人员的资格和要求2) Information System Operations信息系统运作q Monitoring of processing / Authorization of schedules监控处理/时间表的授权 Operational manual;运作手册 Details of the day-to-day operation job schedule;详细的日常操作工作时间表 Job logs (samples only);工作日志(仅需样本) Log for exceptions to normal processing;正常处理的例外情况日志 Documentary evidence of management review.管理层审核的有关文件q Backup schedules and retention备份时间表和留存资料 Backup schedule;备份时间表 Backup log;备份日志 Documentary evidence regarding the testing of on-going readability of backup and retained data;与备份及保留数据的测试有关的文件 Physical security for backup media;备份媒体的物理安全 Any off-site backup arrangement.异地备份安排q Monitoring service levels服务水平监控 Reports for performance and capacity utilization of the computer system;计算机系统性能和容量利用报告 Service level agreements with affected parties;有关部门的服务水平协议 Documentary evidence regarding monitoring of service levels.与服务水平监控有关的文件q User Training用户培训 Procedures for training to users;用户培训程序 User manuals (samples only).用户手册(仅需样本)q Help desk / Problem resolution帮助/问题解决 Details of help desk arrangement;帮助的具体安排 Problem logs (samples only);问题日志(仅需样本) Problem statistics provided to management;给管理层的问题统计 Agreements with outside contractors or software vendors for support services.与外部承包人或软件供应商鉴定的有关支持服务的协议3) Information Security信息安全q General概况 Information system security policies, procedures, standard and/or guidance;信息系统安全政策、程序、标准或指导 Security and internal control framework;安全和内部控制框架 Systems security configuration reports信息安全设置报告q Logical security逻辑安全 RACF security settings (separate request listing will be provided during our review); RACF安全设置(在审核中将提供单独的所需材料清单) Security settings of distributed environments such as Unix, OS/400, Windows NT and Novell Netware, if available (our DTT proprietary automated tool will be used to perform such review); 操作环境的安全设置，例如：Unix, OS/400, Windows NT 和Novell Netware (如果可能，我们DTT拥有的自动工具将提供相关的审核) Policy and procedures regarding the creation, alteration and deletion of users access authority over the operating system level, application level and database level;与创建、变更和删除用户对操作系统及数据库的访问、应用权限有关的政策和程序 User profile listings of operating systems, application systems and database systems;操作系统、应用系统和数据库系统的用户文档清单 Documentary evidence regarding monitoring of validity of users profile listings.与用户文档清单有效性的监控有关的文件q Physical security and environmental controls物理安全和环境控制 Restricted area access policies, procedures, standards and guidance;限制区的进入政策、程序、标准和指导 Policy and procedures regarding the administration of physical security;与物理安全管理有关的政策和程序 Access control mechanism monitoring logs;进入控制机制的监控日志 List of personnel who have access to the restricted areas;有限制区进入权的人员名单 Inventory logs of access keys, cards and etc. for the restricted areas. 进入限制区的钥匙、门卡等清单q Virus protection病毒保护 Policy, procedures, standards and guidance relating to virus scanning of the network and updating of virus signature lists;与网络病毒扫描和病毒库更新有关的政策、程序、标准和指导 List of anti-virus software in use;在用的反病毒软件清单 Communication to users regarding the policy; 针对既定的病毒防护政策，与用户进行相应沟通的文档记载 Schedule of virus scans;病毒扫描时间表 Resulting reports from virus scans.病毒扫描的结果报告q Software asset management软件资产管理 Policy, procedures, standards, and guidance regarding purchasing, approving, loading, and using software;与软件的购买、安装审批和使用有关的政策、程序、标准和指导 Listing of software inventory;软件清单 Approved software list and/or criteria;正式的软件采购列表的及审批标准 Documentation of software use versus inventory comparison process; 现用软件与公司已购买软件的对比列表 Proof of ownership of software (sample only).软件使用权的证据(仅需样本)4) Application Systems Implementation and Maintenance应用系统实施和维护q General概况 System development methodology;信息发展方法 Listing of application development projects or listing of application systems changed during the year.应用系统发展项目或年内应用系统变化的清单q Approval of application systems acquisition and development应用系统取得和发展的审批 Policies, procedures, standards, and guidance regarding management approval of development projects and software acquisitions;发展项目和软件需求审批的政策、程序、标准和指导 Project approval, purchase request and authorization documentation; (sample only);项目审批、采购需求和文件授权(仅需样本) Project plan; (sample only);项目计划(仅需样本) Project implementation schedules (sample only).项目实施时间表(仅需样本)q Testing of application systems implementation应用系统实施的测试 Formal test plan which covers system and unit testing, parallel testing, interface testing and user acceptance test;正规的测试计划，包括单元测试、并行测试、接口测试和用户接受测试 Policy and procedure for Data Conversion Testing;数据转换测试的政策和程序 Data Conversion exception reports (sample only).数据转换例外报告(仅需样本)q System Change Management系统变更管理 Policies and procedures for controlling access to test and production environments;控制测试和生产环境的政策和程序 Change control policies, procedures, standards and guidelines;控制政策、程序、标准和指导方针的改变 Error detection and correction procedures;错误的检测和更正程序 Access control listings for the test and production environments;测试和生产环境的权限控制清单 Violation reports;违规报告 Minutes from change management meetings indicating discussion of hardware change and potential impact;管理变更会议记录，包括硬件变更和潜在影响 Memos or other communication to business management apprising them of potential interruptions.通知业务管理层潜在中断的备忘录或其他联系记录5) Database Implementation and Support数据库实施和支持q General 概况 Current documentation for the database and the database management system including sample of data dictionary definitions;数据库及其管理系统，包括数据字典定义的当前文档 Database management software installation procedures;数据库管理软件安装程序 Documentation of DBA job functions.数据库管理职能的文件q Database Modifications数据库修改 Database and database management software change procedures;数据库和数据库管理软件变动程序 Documentary evidence of management review before database is changed;数据库变更的管理层批准文件 Report logging changes made to database (samples only) and procedures regarding review of such reports.数据库日志报告的变更(仅需样本)和报告的审阅程序q Database Testing数据库测试 System development methodology, including any steps related to testing;系统发展方法，包括与测试有关的步骤 Access control listings for the test and production environments;测试与生产环境的进入控制清单 Test plans, tests scripts, test objectives and test results (samples only);测试计划、测试记录、测试目的和测试结果 Documentation of acceptance of test results by users before implementation.实施前有关用户接受测试结果的文件q Management and Support of Database 管理和支持数据库 Database statistics report e.g. database response time, availability, errors, etc and procedures regarding review of such reports;数据库统计报告，例如：数据库反应时间、错误等和该等报告的审批程序 Database management software vendor agreements.数据库管理软件供应商协议6) Network Support网络支持q General概况 Policies, procedures, standards, and guidance regarding maintaining and using network software, communication software, and network topology documentation;与维护和使用网络软件、通讯软件和网络拓扑有关的政策、程序、标准和指导 Listing of network components;网络组件清单 Network documentation (e.g. network diagram).网络文件(例如：网络图表)q Approval of new network and communication software 新网络和通讯软件的批准 A formal methodology or process guiding the acquisition, development or maintenance of network and communication software;指导获得、发展或维护网络和通讯软件的正规的方法或处理程序 Documentary evidence of management approval for network and communication acquisition.网络和通讯需求的批准文件q Testing of new and modification to network and communication software新的和更改的网络和通讯软件的测试 Test plans, tests scripts, test objectives and test results (samples only);测试计划、测试记录、测试目的和测试结果(仅需样本) Documentation of testing before implementation.实施前测试的文件q Vendor agreement and setting of system software parameters供应商协议和系统软件参数的设置 Network and communication software vendor agreement;网络和通讯软件供应商协议 Documentation of the settings and use of network and communication software parameters (that control the network communication) and other configuration options;网络的设置和使用及通讯软件参数的文件(用于控制网络通讯)，以及其他设置选项 Management monitor that supported versions of network and communication software are being used and that new releases are being implemented.管理层监控通讯软件的版本及新版本的实施q Modification approved by Management 管理层对变更的审批 Network and communication software change procedures;网络和通讯软件变更程序 Documentary evidence of management approval for network and communication software modification; 网络和通讯软件变更审批文件 Management monitor and review the modification performed.管理层监控和审核变更行为7) System Software Support系统软件支持q Approval of new system software新系统软件的审批 A formal methodology or process guiding the acquisition, development or maintenance of systems software;系统软件获得、发展或维护的