What is the control (or what is in a name)? 1138

  • Hi all,
    Currently we are in a discussion with regard to our IT General Conrol Procedures and the controls defined.
    For the sake of argument, imagine a controls as: Door for datacenter access should be locked.
    We have a control in out process which sais periodically the datacenter manager validates the door is locked. We do not have as a control a lock on the door.
    What would you guys put in as a control. It is my strong believe Cobit is focused on the control activities (e.g. validate the door is locked) not in the measures (the lock on the door).
    Who agrees or disagrees and why?

  • I would suggest not neing quite so specific as to the control. In this example, I would think that the control should be ‘access to data center is limited to those needing access’. This would imply that the door was kept closed and locked or that there was a way to monitor who entered and exited the room.
    This could be interpreted in many ways, one of which would be a lock on the door with control over who had a key. Others might be a sign-in sheet or video surveillance. I think that it is implicit that the door would be kept closed and locked when no one was in the room. No need to have as a separate control a lock on the door.

  • I agree that your controls are defined broader.
    Some examples of physical controls could be:

    • Physical access controls restrict access to buildings and assets
    • Servers and mainframes housed in secure areas
    • Servers are protected from environmental threats (temperature, fire)
      The specific steps within the test scripts would include testing for:
    • verify the data center is secured (some type of lock or method – understand how the lock works)
    • who has authorization to be in the data center
    • how do visitors and vendors gain acess–how is that monitored? approved? (we use signin sheet, visitors must be escorted, and senior mgt. signoffs on log)
    • verify that unauthorized individuals are unable to gain access (for us we had programmers scan their card keys to prove they couldn’t get in as they were unauthorized).
    • verify authorized personel gaining access to data center
    • determine whether it is possible to circumvent the current controls to gain access to the data center.
    • etc…

  • Thank you, this is helpful in the discussion. I do agree the broader defined controls make more sense. Then in the test scripts we could put in the measures to test the defined controls.
    But I also know that in the discussion they will put is an argument that these controls are defined as OBJECTIVES and not really controls. ANd to meet the objectives, we need to define more specific controls, which then can be monitored on effective opperation.
    E.g. access to data center is limited to those needing access - HOW?
    Via physical access controls that restrict access to buildings and assets - which controls?
    And then I am back where we started. Stupid discussion, but hard one to win with stuburn people…
    Note that controls in our company are specific documented with the 5 w’s (Who does What, When, Why and hoW). This makes it difficult not to be specific in the description of the control.
    Anyway, thanks again for your input already.

  • In terms of computer room access we have designed a control that reviews the access list for the door and ensures that it only contains valid users. This works as a control for automated access systems. Where we have locks or digital pads we review who has access to the key and make sure that the number for the keypads is changed regularly. To me the control aspect is that someone reviews the list of people who can get through the door.

  • control activities are normally a combination of automated and manual exercise. for example, each time a person enters the data center room, he or she has to swipe a access card or use the key for he lock and this event is logged automatically. Now we need some one to check the log so that unauthorized access attempts can be identified.
    'access to data center is limited to those needing access - HOW? ’
    If you have key-lock control in place, only those who are responsible for mainainace of the data center should have the keys. This way you have controlled the access. You can deploy any other means also.
    'physical access controls that restrict access to buildings and assets - which controls? ’
    Door locks, security gaurd, electronic key pad with users have access swipe cards, video camras, etc.

  • Too add to the discussion, creating an authorized access list that defines what employees are permitted to gain acces to the data center for thier job would be a good idea. This list should be signed off by management and reviewed on a regular basis.
    This provides you with a standard to compare to. You can then compare your access logs or keys lists to the authorized access list to identify expections.

Log in to reply