IBMAS400SecurityProcedures.doc

Table of Contents Page A. Purpose and Scope 1 B. Preparatory Steps 2 C. General information 3 D. Standards 5 E. Documentation 6 F. Physical Security 8 G. Backup Procedures 9 H. Disaster Recovery 11 I. Implementation Change Control 12 J. Operations/Processing 16 (Job Scheduling, Tape Library Management, Output Handling) K. System Security - General 19 System Security Values 20 User Group Profiles 27 Libraries 34 Objects 35 System Utilities 36 System Commands 37 System Logs 39 L. Physical Inventory 41 M. Systems Performance 42 N. Preventative Maintenance 43 A. Purpose And Scope This program is designed to enable the auditor to examine and test the effectiveness of controls and procedures at data centers using IBM System/34, 36, 38 and AS/400 computers. Included in the audit program are suggested audit steps that are designed to obtain evidence that key control procedures are operating effectively. The audit approach includes: background information, standards, documentation, implementation/change controls, backup procedures (including those financial files required by law - such as general ledger, payroll, receivables, sales, cost of sales and any master file/tables required to complete the financial information - such as chart of accounts, cost, price masters), disaster recovery, computer operations and logical access security. This guide should be read through in its entirety before an audit is commenced in order to gain a thorough understanding of the audit approach. The Appendix contains added information on classifying data and background information on the various machines that are covered in this audit program. B. Preparatory Steps 1. Review existing corporate computer policies and guidelines and evaluate their impact on the planned audit scope. 2. Review the workpapers and response to the prior audit report. 3. Obtain and review the current organizational chart for the releva