Report on the Description of the National Settlement Depository Controls, Suitability of Controls Design and Operating Effectiveness,
12 October, 2015
31
Objective 7. Controls provide reasonable assurance that logical access to business-critical systems and applications is restricted
to authorized individuals
Ref # Control procedure
Testing performed
Results of tests
7.1
The role model functionality embedded within key applications
and systems facilitates appropriate segregation of duties across
business processes.
Roles in the ASER, Alameda are segregated for key critical
functions and actions.
Inspected the segregation of duties in Alameda and
ASER and ensured that roles were segregated for key
critical actions.
We noted that the head of one of
the departments has rights to
create and approve service
operations and clients orders in
Alameda.
Inspected user activity log (user
hasn’t access to this log) for audit
period and ensured that no such
actions were performed under his
account.
7.2
Access requests to Active Directory and applications are
reviewed and authorised by responsible employees before
access is granted.
For a sample of created accounts inspected the
access granting procedure and ensured all accounts
were approved and rights were according to user job
responsibilities.
No exceptions noted
7.3
User access rights to the systems are removed for terminated
employees on a timely basis.
For a sample of terminated employees (both transfer
and dismissal) inspected the procedure of blocking
user accounts and ensured all user accounts of
dismissed employees were blocked in all systems.
No exceptions noted
7.4
Developers do not access to production environment.
Inspected the lists of administrators in the systems
and ensured that developers have no access to the
production environment.
No exceptions noted
