40-000-7 COMPUTER CONTROLS (PROCEDURE) To safeguard the security of the system, certain procedures shall be in place as follows: Organization Controls 1. The EDP department shall be independent of the client departments and EDP personnel may not initiate or authorize transactions, nor initiate changes to master files. EDP personnel may make error corrections only when the error originated in the EDP department. 2. All changes made to master files shall be reported to the initiating departments. 3. Duties and data control functions shall be separated between programming and computer operations. 4. Computer operators shall take at least one week continuous annual leave and his/her duties shall be rotated periodically. 5. An internal audit shall be in place to ensure that the accounting system can be used to prepare accurate financial statements. Access Controls 1. EDP security shall be the responsibility of one employee and access to the computer room shall be restricted to authorized personnel. 2. Programmers shall not have access to production programs, job control language, and live data files nor will new or revised programs be tested on live data files. 3. Computer operators shall not have access to source code and programming documentation. 4. Terminal access and passwords shall be limited to one person and passwords shall be changed at regular intervals. Operational Controls 1. Schedules for computer applications shall be prepared and followed and automated or manual logs shall be used to record operator activities. 2. System failures, restart and recovery shall be reported and reviewed by an appropriate official. 3. Operator instruction manuals that contain setup of batch jobs, loading of operating systems software, and other input and output components shall be available. 4. There shall be appropriate procedures to monitor operator compliance and back-up and storage of programs and data files. 5. Periodic security briefings shall be provided to EDP personnel. Disaster Recovery/Contingency Planning 1. Master files, transaction files, systems, programs, and related documentation shall be stored off the premises. 2. Contingency plans shall be developed for alternative processing in the event of loss or interruption of the EDP function and such plans shall be tested for their adequacy in the event of a disaster.
|Document Version||Pdf Version|