Back

Establish and maintain data processing integrity controls.


CONTROL ID
00923
CONTROL TYPE
Establish Roles
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish and maintain Records Management procedures., CC ID: 00919

This Control has the following implementation support Control(s):
  • Compare each record's data input to its final form., CC ID: 11813
  • Establish and maintain Automated Data Processing validation checks and editing checks., CC ID: 00924
  • Establish and maintain Automated Data Processing error handling procedures., CC ID: 00925
  • Establish and maintain Automated Data Processing error handling reporting., CC ID: 11659


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • AIs should also implement sufficient controls to maintain and verify the integrity of the information processed by their Internet banking systems. For example, AIs should implement checks and controls in the application systems so as to reconcile data file balances after transaction updates and to c… (§ 5.1.2, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • a policy that defines the roles and responsibilities for managing the integrity of the data in the ICT systems (e.g. data architect, data officers, data custodians, data owners/stewards) and provides guidance on which data are critical from a data integrity perspective and should be subject to speci… (Title 3 3.3.4(d) 57.a, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • Define and implement procedures to ensure the integrity and consistency of all data stored in electronic form, such as databases, data warehouses and data archives. (PO2.4 Integrity Management, CobiT, Version 4.1)
  • Verify that all data expected for processing are received and processed completely, accurately and in a timely manner, and all output is delivered in accordance with business requirements. Support restart and reprocessing needs. (DS11.1 Business Requirements for Data Management, CobiT, Version 4.1)
  • Before passing transaction data between internal applications and business/operational functions (in or outside the enterprise), check it for proper addressing, authenticity of origin and integrity of content. Maintain authenticity and integrity during transmission or transport. (AC6 Transaction Authentication and Integrity, CobiT, Version 4.1)
  • Maintain the integrity and validity of data throughout the processing cycle. Detection of erroneous transactions does not disrupt the processing of valid transactions. (AC4 Processing Integrity and Validity, CobiT, Version 4.1)
  • Information systems produce information that is timely, current, accurate, complete, accessible, protected, and verifiable and retained. Information is reviewed to assess its relevance in supporting the internal control components. (§ 3 Principle 13 Points of Focus: Maintains Quality throughout Processing, COSO Internal Control - Integrated Framework (2013))
  • Many controls have separation of duties as a vital element. The organizational structure should not have one individual or department with full responsibility for all aspects of processing data. Initiating, authorizing, inputting, processing, and checking data should be separated. (§ 5.3.3.1 ¶ 1, IIA Global Technology Audit Guide (GTAG) 1: Information Technology Controls)
  • The risk of staff disrupting the running of business applications, Information Systems, and networks either in error or by malicious intent should be reduced by separating the duties of staff running business applications, Information Systems, and networks from the duties of staff designing, develop… (CF.02.05.07a, The Standard of Good Practice for Information Security)
  • The risk of staff disrupting the running of business applications, computer systems, and networks either in error or by malicious intent should be reduced by organizing duties in such a way as to minimize the risk of theft, fraud, error, and unauthorized changes to information (e.g., by supervising … (CF.02.05.07c, The Standard of Good Practice for Information Security)
  • The integrity of information contained in critical spreadsheets should be assured by using separate areas for calculation cells and data entry cells. (CF.13.02.06a, The Standard of Good Practice for Information Security)
  • Key components of computer and network installations should be protected by segregating different types of software and information (e.g., by storing them in separate directories). (CF.07.01.07c, The Standard of Good Practice for Information Security)
  • Hypervisors should be configured to segregate virtual servers according to the confidentiality requirements of information they process. (CF.07.03.05a, The Standard of Good Practice for Information Security)
  • The risk of staff disrupting the running of business applications, Information Systems, and networks either in error or by malicious intent should be reduced by separating the duties of staff running business applications, Information Systems, and networks from the duties of staff designing, develop… (CF.02.05.07a, The Standard of Good Practice for Information Security, 2013)
  • The risk of staff disrupting the running of business applications, computer systems, and networks either in error or by malicious intent should be reduced by organizing duties in such a way as to minimize the risk of theft, fraud, error, and unauthorized changes to information (e.g., by supervising … (CF.02.05.07c, The Standard of Good Practice for Information Security, 2013)
  • The integrity of information contained in critical spreadsheets should be assured by using separate areas for calculation cells and data entry cells. (CF.13.02.06a, The Standard of Good Practice for Information Security, 2013)
  • Key components of computer and network installations should be protected by segregating different types of software and information (e.g., by storing them in separate directories). (CF.07.01.07c, The Standard of Good Practice for Information Security, 2013)
  • Hypervisors should be configured to segregate virtual servers according to the confidentiality requirements of information they process. (CF.07.03.05a, The Standard of Good Practice for Information Security, 2013)
  • The cloud service provider should provide the specifications of its backup capabilities to the cloud service customer. The specifications should include the following information, as appropriate: – scope and schedule of backups; – backup methods and data formats, including encryption, if relevan… (§ 12.3.1 Table: Cloud service provider, ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
  • Automated and manual controls can be circumvented by two or more personnel acting together; therefore, the organization should segregate duties to prevent this from occurring. (§ 314.65, § 314.66, SAS No. 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement)
  • Information systems produce information that is timely, current, accurate, complete, accessible, protected, verifiable, and retained. Information is reviewed to assess its relevance in supporting the internal control components. (CC2.1 Maintains Quality Throughout Processing, Trust Services Criteria)
  • Processing inputs are evaluated for compliance with defined input requirements. (PI1.2 Evaluates Processing Inputs, Trust Services Criteria)
  • Inputs are processed completely, accurately, and timely as authorized in accordance with defined processing activities. (PI1.3 Processes Inputs, Trust Services Criteria)
  • Procedures exist to prevent, or detect and correct, processing errors to meet the entity’s processing integrity commitments and system requirements. (PI1.1, TSP 100 - Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy)
  • Modification of data, other than routine transaction processing, is authorized and processed to meet with the entity’s processing integrity commitments and system requirements. (PI1.6, TSP 100 - Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy)
  • When desktop computers are used to transmit scoped systems and data, is there segregation of duties for granting access and approving access? (§ G.22.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • When desktop computers are used to store scoped systems and data, is there segregation of duties for granting access and approving access? (§ G.22.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • When desktop computers are used to process scoped systems and data, is there segregation of duties for granting access and approving access? (§ G.22.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • CSR 4.1.2: The organization must divide the duties for critical mission functions or sensitive control, information system support functions, and financial functions between separate individuals to ensure least privileged and individual accountability. CSR 4.7.1: The organization must implement comp… (CSR 4.1.2, CSR 4.7.1, CSR 4.7.2, CSR 4.7.3, CSR 4.7.5, CSR 7.6.2, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • The Records Management Application shall allow only authorized individuals the ability to edit metadata items after a record is filed. (§ C4.1.12, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • The responsibilities of the authorized individuals referred to in section c4.1.12 (editing metadata items after a record is filed) shall be accomplished, as necessary, by an Application Administrator, a records manager, or a privileged user. (Table C4.T2 Requirement C4.1.12, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • If necessary, group plan health documents must be corrected to include adequate separation between the plan sponsor and the group health plan. Plan documents must describe employees, classes of employees, or other persons who are to be given access to information that will be disclosed, provided tha… (§ 164.504(f)(2)(iii), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • Use validation controls for data entry and data processing. (App A Objective 6.27.e, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Back-office operations and transaction processing. (App A Objective 8:1 a., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Data security activities are independent from systems and programming, computer operations, data input/output, and audit; (TIER II OBJECTIVES AND PROCEDURES D.1. Bullet 3, FFIEC IT Examination Handbook - Audit, April 2012)
  • The adequacy of data controls over preparation, input, processing, and output. (TIER II OBJECTIVES AND PROCEDURES C.1. Bullet 2, FFIEC IT Examination Handbook - Audit, April 2012)
  • Adequate controls exist over any origination functions, including separation of data preparation, input, transmission, and reconcilement; (TIER II OBJECTIVES AND PROCEDURES E.3. Bullet 5, FFIEC IT Examination Handbook - Audit, April 2012)
  • Determine whether audit procedures for payment systems risk adequately consider the risks in automated clearinghouse (ACH). Evaluate whether ▪ Policies and procedures govern all ACH activity; ▪ Incoming debit and credit totals are verified adequately and items counted prior to posting to custome… (Exam Tier II Obj E.3, FFIEC IT Examination Handbook - Audit, August 2003)
  • Determine if there are adequate controls around transaction initiation and data entry, including: ▪ Daily log review by the supervisor including appropriate sign-off; ▪ Control over and disposal of all computer output (printouts, microfiche, optical disks, etc.); ▪ Separation of duties; ▪ Li… (Exam Tier II Obj H.1, FFIEC IT Examination Handbook - Operations, July 2004)
  • The organization should use separation of duties to minimize the potential of staff members tampering with check images and information during the processing process. (Pg 38, Exam Tier I Obj 2.1, Exam Tier I Obj 3.3, Exam Tier I Obj 4.2, Exam Tier II Obj 2.1, Exam Tier II Obj 2.2, Exam Tier II Obj 3.2, Exam Tier II Obj 4.2, Exam Tier II Obj 6.5, Exam Tier II Obj 7.1, Exam Tier II Obj 9.15, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
  • The organization should establish a separation of duties for individuals involved in funds transfer systems, accounting tasks, and critical payment processing tasks. (Pg 16, Pg 20, Pg 31, Pg 32, Exam Tier I Obj 2.1, Exam Tier II Obj 1.5, Exam Tier II Obj 7.1, Exam Tier II Obj 9.3, Exam Tier II Obj 12.1, Exam Tier II Obj 14.4, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
  • Organizational records and documents should be examined to ensure individuals are not assigned responsibilities that conflict with the separation of duties policy, separation of duties are enforced continuously, and specific responsibilities and actions are defined for the implementation of the sepa… (AC-5, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • The organization may enforce Separation of Duties for any duties that involve accessing Personally Identifiable Information. (§ 4.3 Bullet Separation of Duties (AC-5), NIST SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII))
  • Duties should be segregated to prevent one person from having control over an entire process from beginning to end. (§ II.C, OMB Circular A-123, Management's Responsibility for Internal Control)