• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 252
  • Last Modified:

application management

Hey,

what kind of things are included in an application management audit?

We have an app security and management audit of our payroll app coming up, security side of things I can make an educated guess on what will be involved. On the management side would it be things like change control, i..e this is fat client app so roll out of new software based on new versions goes through CC?

Any other issues?
0
pma111
Asked:
pma111
  • 2
  • 2
  • 2
2 Solutions
 
slemmesmiCommented:
Dear pma111,

An application management audit (as any IT audit), serve to validate the value (quality 1-3 below, fiduciary 4-5 below and security requirements 6-7 below) of the information in the application.

7 related information criteria are defined as follows (the organization requires that the information is) which constitutes the value of the information:
1. Effectiveness: Information being relevant, delivered in a timely, correct, consistent and usable manner.
2. Efficiency: Information provided through the optiomal (most productive and economical) use of resources.
3. Confidentiality: Protection of sensitive information from unauthorized disclosure.
4. Integrity: Accuracy, completeness and validity of information.
5. Availability: Information is available with needed. Safeguarding of necessary resources and associated capabilities.
6. Compliance: Complying with laws, regulations and contractual arrangements for information.
7. Reliability: Provision of appropriate information to operation the entity and exercise its fiduciary and governance responsibilities.

Applications management audit validate that systems and applications are appropriate to the entity's needs, are efficient, and are adequately controlled to ensure valid, reliable, timely, and secure input, processing, and output at all levels of a applications activity.

The application management audit is approached from 5 different perspectives:
a. Security (confidentiality, integrity and availability)
b. Quality (effectiveness and efficiency)
c. Fiduciary (compliance and reliability)
d. Service
e. Capacity

Some of the techniques for gathering evidence as part of the audit a.o. include:
I. Reviewing IS organizational structures (segregation of duties).
II. Reviewing IS policies and procedures (which are in place, are they understood and are they being followed/enforced and is it measured).
III. Reviewing IS standards (which are in place, are they understood and are they being followed/enforced and is it measured).
IV. Reviewing IS documentation (which is in place, is it understood and being followed/enforced, is it measured and is it kept up-to-date).
V. Interviewing appropriate personnel (in any way associated with the application management).
VI. Observing processes and employees performing duties (in any way associated with the application management).

Last but not least, the presence/absence of a completed BIA would serve as input in the audit.

Kind regards,
Soren
0
 
pma111Author Commented:
Security I am pretty ok with.

Bit can you give perhaps 3 examples of controls for:

b. Quality (effectiveness and efficiency)
c. Fiduciary (compliance and reliability)
d. Service
e. Capacity
0
 
btanExec ConsultantCommented:
Another add on is to follow tbrough the aplication lifecycle which focus more of the change mgmt such as patch mgmt, frequency of patches, version control, role and responsibility and workflow involved. Primarily is to ensure a sound and accountable execution standard and procedures.

I was also thinking of the maintenance of appl but I leave it as the change process mgmt cycle. The secure appl development is another area if security is one key chapter. I more towards the regularity of vulnerability verification, security posture validation through penetration test and proper security review instead. The BSIMM framework tells abouth these well define phases and checks.
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
pma111Author Commented:
Are you an IT auditor breadtan/slemmesmi? Or IT security professional?
0
 
slemmesmiCommented:
Dear pma111,

Neither; I am senior system engineer with strong IT Governance awareness and CISA exam passed.

Examples of controls for (COBIT based, and I am sure you can map those to ITIL):

b. Quality (effectiveness and efficiency)
Create and maintain corporate/enterprise information model.
Create and maintain corporate data dictionary(ies).
Establish and maintain a data classification scheme.
Provide data owners with procedures and tools for classifying information systems.
Utilise the information model, data dictionary and classification scheme to plan optimised business systems.
Establish IT organisational structure, including committees and linkages to the stakeholders and vendors.
Design an IT process framework.
Identify system owners.
Identify data owners.
Establish and implement IT roles and responsibilities, including supervision and segregation of duties.

c. Fiduciary (compliance and reliability)
See 'b' above, plus:
Identify fiduciary requirements.
Identify legal requirements, ownership and reporting.

d. Service
Create a framework for defining IT services.
Build an IT service catalogue.
Define SLAs for critical IT services.
Define OLAs for meeting SLAs.
Monitor and report end-to-end service level performance.
Review SLAs and UCs.
Review and update IT service catalogue.
Create service improvement plan.
BIA!!!!

e. Capacity
Establish a planning process for the review of performance and capacity of IT resources.
Review current IT resources’ performance and capacity.
Conduct IT resources’ performance and capacity forecasting.
Conduct gap analysis to identify IT resources mismatches.
Conduct contingency planning for potential IT resources unavailability (again BIA!!!!!)
Continuously monitor and report the availability, performance and capacity of IT resources.

Kind regards,
Soren
0
 
btanExec ConsultantCommented:
IT Professional primary focus is cyber security.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now