Page 74 - Courses
P. 74

IT Essentials — Physical and Environmental Controls

            With the knowledge gained from the walkthrough, the internal auditor can now complete the
            remainder of the fieldwork.

            Fieldwork

            Thank you for taking time for a second conversation with me. Can you start by explaining why the
            proximity card readers are not located on ALL doors?

            Certainly. This is due to cost. The proximity card readers are expensive to add to areas originally
            secured by lock and key; that is why our wiring closets do not have card readers.

            Speaking of the wiring closets, how does your department manage the physical keys for the wiring
            closets, as well as those that are used in other areas without card or biometric readers?

            All keys have a code engraved on them, along with a Do Not Duplicate stamp. The keys are logged in
            a tracking spreadsheet that looks like the sample provided below. I will be happy to email you the
            complete spreadsheet.













            Thank you. I will take a look, and get back with you with questions.

            The next topic I would like to discuss is the card management system. Would you provide me with a
            brief overview of this system?

            Of course. All requests for cards come through our ticketing system. They are a part of the corporate
            Add/Transfer/Termination process used by IT, human resources (HR), and maintenance.

            That is great. Can you elaborate more on the “add” process?

            For adds, I unlock our supply cabinet and take a new card from the stock box. I then log into the card
            management system console, using my personally assigned user ID and password. I look at the back
            of the card to ensure it is the next card to be assigned; if the serial numbers match, I assign it to the
            user stated in the ticket and assign them to the reader locations designated in the ticket. The card is
            then sent to human resources (HR). HR will either request the employee come to their office to pick
            up the card, or if the employee is remote, they will mail the card to the employee’s home address.

            How do the card serial numbers originally get into the system?


            Copyright © 2021 by The Institute of Internal Auditors, Inc. All rights reserved.
   69   70   71   72   73   74   75   76   77   78   79