Documentos de Académico
Documentos de Profesional
Documentos de Cultura
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
3.1
3.11
3.12
3.13
3.14
3.15
3.16
3.17
3.18
3.19
3.2
3.21
3.22
3.23
3.24
3.25
3.26
3.27
3.28
4.1.1
4.1.2
4.1.3
4.1.4
4.1.5
4.1.6
4.1.7
4.1.8
4.1.9
4.1.10
4.1.11
4.1.12
4.1.13
4.1.14
4.1.15
4.1.16
4.2.1
4.2.2
4.2.3
4.2.4
4.2.5
4.2.6
4.2.7
4.2.8
5.1.1
5.1.2
5.1.3
5.1.4
5.1.5
5.1.6
5.1.7
5.1.8
5.1.9
5.1.10
5.1.11
5.1.12
5.2.1
5.2.2
5.2.3
5.2.4
5.2.5
5.2.6
5.2.7
5.2.8
5.2.9
5.2.10
5.2.11
5.2.12
5.2.13
5.2.14
5.2.15
5.2.16
5.3.1
5.3.2
5.3.3
5.3.4
5.4.1
5.4.2
5.4.3
5.4.4
5.4.5
5.4.6
5.4.7
5.4.8
5.4.9
5.4.10
5.4.11
5.4.12
5.4.13
5.4.14
5.4.15
5.4.16
5.4.17
5.4.18
5.5.1
5.5.2
5.5.3
5.6.1.1
5.6.1.2
5.6.1.3
5.6.1.4
5.6.1.5
5.6.1.6
5.6.1.7
5.6.1.8
5.6.1.9
5.6.1.10
5.6.1.11
5.6.1.12
5.6.1.13
5.6.1.14
5.6.1.15
5.6.2.1
5.6.2.2
IT General Controls
Weaknesses noted in the governance of IT strategy
This issue was discussed with ACEO & Business Development, ACEO advised to
consider the initiatives suggested in QCC Strategy as the work frame. IT suggested
drafting a strategy and discussing it with ACEO. So, the draft Strategy was prepared but
IT risk assessment & reviews of IT Infrastructure, Applications and Systems is not performed
This will be considered. The jobs descriptions of Business Analyst and Network Admin
will be adjusted to cover this requirements (BA for all risks at applications and databases
leve and Network Admin for the risk assoicated with any IT Infrastructre components).
The risk review to be conducted at Q3 every year, and as if required.
Breach of software licenses and inappropriate management of tools
In the audit period IT was executing projects that will require different licenses, All new
requirement are being discussed with the providers.
Absence of information security function
This business needs will be covered with as explained in 3.3 and we think that this is
sufficient as of now. An independent information security function will be needed later
when QCC has more system on the web or cloud computing. Security Training will be increased.
Lack of comprehensive policies and procedures
Policies and procedures suggested by IT and reviewed & adjusted by Policies Committee.
To be considered as the first version and to be evaluated and enhanced within 6 months
starting from issuing date.Increasing the end-user awareness is important and will be considered.
Intrusion Prevention System (IPS) and Intrusion Detection System (IDS) is not installed
All are considered in 2014-budget.
Inadequate management of security incidents across QCC
Security Policy & Procedure will be adjusted to consider that.
Disaster recovery drills are not being performed
Noted We think that DRP is one component of a comprehensive BCP and drills to be
conducted to the BCP to have comprehensive and meaningful drills.
Current DRP is sufficient for business needs. And we are doing recovering test regularly.
It is not stated in the draft Policy. Policy will be adjusted.
Absence of change control policies, procedures & documentation
The current policies address the Change Management in application and in the infrastructure
projects. But there is no separate Change Control Policies.
We do install patches every time after testing and investigating. However, in many cases conflicts
occur between the new patches and the running applications. Procedure to be introduced
Sharing of administrator ID and password ( 2 persons are using it in jde and SA)
For AD Admin. The issue is fixed.
Application Controls
Absence of Standard Operating Procedures (SOP)
It is done for some applications and the remaining will be considered.
a support ticket Purchasing reporting tool to report the access right from the system is planned.
provider to implements.
Information Security
Clear text HTTP service is enabled
The issue is fixed.
Shared administrative IDs being used ( no one know the Password of 'SA' user)
Recommendation is considered and the issue is fixed.
Jan. 2014
Dec. 2013
Dec. 2013
Mar. 2014
Mar. 2014
Mar. 2014
Mar. 2014
Mar. 2014
Jan. 2014
Jan. 2014
Mar. 2014
Jan. 2014
Jan. 2014
Dec. 2013
Mar. 2014
Apr. 2014
Fixed.
sa
Fixed.
sa
Fixed.
sa
Mar. 2014
Mar. 2014
Jan. 2014
Jun. 2014
##
CEO
##
CEO
Fixed.
ok
##
CEO
##
IT HR
Mar. 2014
##
Jan. 2014 IA
Fixed.
This week
##
Dec. 2013 HR
##
Dec. 2013 Hr
##
Fixed.
##
Fixed.
Jun. 2014
Jun. 2014
This week
Jan. 2014 HR
OK
Jun. 2014
Jan. 2014
Jun. 2014
Jan. 2014
##
Jan. 2014 IA
##
Fixed.
VAS
Fixed.
VAS
Feb. 2014
Jan. 2014
Jun. 2014
Jun. 2014
Fixed.
ok
Fixed.
ok
Fixed.
ok
Fixed.
ok
Fixed.
ok
Fixed.
ok
Fixed.
ok
Fixed.
ok
Fixed.
ok
Fixed.
ok
Fixed.
ok
Fixed.
ok
Fixed.
ok
Fixed.
ok
Fixed.
ok
Fixed.
ok
Fixed.
ok
Fixed.
ok
Fixed.
ok
Fixed.
ok
Fixed.
ok
Fixed.
ok
Fixed.
ok
Fixed.
ok
Fixed.
ok
Fixed.
ok
Fixed.
ok
Fixed.
ok
Fixed.
OK
Fixed.
ok
Fixed.
ok
Fixed.
Ok
Fixed.
VAS
Fixed.
VAS
Fixed.
VAS
Fixed.
VAS
Fixed.
VAS
Fixed.
VAS
Fixed.
VAS
Fixed.
VAS
Fixed.
VAS
SL
Fixed.
VAS
Fixed.
VAS
Fixed.
VAS
Fixed.
VAS
Fixed.
VAS
Fixed.
VAS
Fixed.
VAS
Fixed.
VAS
Fixed.
VAS
Fixed.
VAS
Fixed.
VAS
Fixed.
VAS
Fixed.
Ok
Fixed.
Ok
Fixed.
Ok
Fixed.
Ok
Fixed.
Ok
Fixed.
Ok
Fixed.
Ok
Fixed.
Ok
Fixed.
Ok
Fixed.
Ok
Fixed.
VAS
Fixed.
Ok
Fixed.
Ok
Fixed.
Ok
Fixed.
Ok
Fixed.
Ok
Fixed.
OK