What is a staging environment?
It is an environment where a sample group of end users have the chance to evaluate changes to applications prior to going live for all users
What is full interpretation?
This happens when all tasks are performed at the alternate site
What is patch management?
- It is the process of identifying, testing, and applying software updates (patches) to fix vulnerabilities and enhance performance
- Patch management is vital for regularly applying updates and patches to the OS to protect against security vulnerabilities
What is software version control?
- AKA source code management
- Primarily concerned with managing changes to the source code of software applications
- It’s more associated with software releases than software patches
What is a systems specification document?
- It is a document that describes what the system will do and how it will operate
- It addresses end-user requirements like:
1) Functional user requirements
2) Non-functional requirements
3) Data elements
Changes become available to all users in what environment?
Production environment
What are the 3 types of application controls?
1) Input
2) Processing
3) Output
What are output controls?
They are controls that ensure that reports (AKA outputs) are made available only to authorized personnel
A lack of segregation of duties in the change management process exists when an employee:
Develops a code change and migrates it to the PRODUCTION environment
What are DATA INTERFACE CONTROLS?
They are communication rules that organization should implement to mitigate the risks of transmission errors
Change requests do not affect inventory until:
Records are updated after implementation
Why would a cloud service provider provide customers with a SOC 2 report annually?
Because customers need to manage their own governance, risk, and compliance objectives
What does inventory tracking do?
- It supplies info about the location of inventory
How can a service auditor be sure that access to the development and production environment is segregated among the change management team members?
- The auditor should test/inspect management’s quarterly review of permissions to validate that the developers and other team members are in different permission groups
- This procedure ensures that access is properly segregated throughout the examination period as VALIDATED BY MANAGEMENT
What do change controls do?
They prevent, detect, and correct unauthorized changes to systems, applications, and data
What are examples of INPUT application controls?
- Validity checks
- Range (limit) checks
- Authorization checks
- Hash amounts
- Batch controls
What are examples of PROCESSING application controls?
- Data validation
- Sequence checks
- Completeness checks
- Duplication checks
- File identification checks
What are examples of OUTPUT application controls?
- Distribution lists
- Printer security
- Storage controls
- Confidentiality controls
- Data transmission controls
What are system components?
- They are identifiable hardware, software, and firmware (operating system) assets
- Most frameworks recommend that organizations perform ongoing and periodic system component inventories to support asset, data, change, security, and business continuity management
What do inventory reports list?
They list all components and their respective specifications, baseline configurations, locations
