System Software Product Implementation Review Methodology
By: Mitchell H. Levine, CISA
Audit Serve, Inc.
System software products are used to support system functions that are not provided by the operating system and its subsystems. System software products automate, control, and facilitate the manner in which individual users and applications utilize the resources of the operating system. To the end-user, who has no involvement in how system software products are installed or operated, these system software products are viewed as tools and safeguards which perform pre-described functions.
The end-user is unaware of how the product was installed and what occurs behind the scenes to achieve its daily operational duties. The end-user does not question whether the product was installed to take advantage of all of the product's capabilities or whether the product is being operated to its maximum efficiency. However, from an auditor's perspective, the integrity to the overall operating environment is impacted by not properly installing or operating a system software product.
The overall impact to the operating environment by a system software product is first measured based upon whether the system software product is provided with privileged access to operating system resources in order to allow the product to operate as intended. If the system software product is provided privileged access, then users of the product themselves could potentially be granted with this access if the system software product is not properly installed and operated.
The second measurement as to a system software product's impact to an environment is based on the system software product's importance to the operating environment with respect to its intended role. If the system software product offers ease-of-use functions then the only impact would be to the overall productivity of the end-user. However, if the system software product itself provides control features that the environment is dependent upon to maintain the systems overall integrity, then the impact of failing to install or operate the system software product properly is of much greater concern.
As to those system software products which contribute to the assurance of the systems overall integrity, if the implementation and operation of the product is not done properly then the systems in which it provides safeguards for cannot be assured. System software products which offer control functions, must be installed and operated in a manner which maintains the integrity of the controls functions that it provides.
Within the control product industry, little documentation is provided with these system products which explain: (1) how the product should be installed and operated; and (2) the potential risks associated with the various approaches used. System Software vendors which offer security and control related products should provide a full scale methodology and audit program for properly installing and operating their product to ensure that the maximum benefits of their products are utilized and the integrity of its assigned control functions are preserved
For a free proposal to perform an audit of your organization or provide SOX support & testing services, contact Mitchell Levine of Audit Serve at (203) 972-3567 or via e-mail at Levinemh@auditserve.com.
Copyright 2006, Audit Serve, Inc. All rights reserved. Reproduction, which includes links from other Web sites, is prohibited except by permission in writing