Appendix B
273
• Deployment of a major application
•Will the company be required to comply with certain laws or regula-
tions in the future (Health Insurance Portability and Accountability Act
[HIPAA], Gramm–Leach–Bliley Act [GLBA], etc.)?
Guidance:
Planned initiatives can change the way you look at findings.
Both short-term and long-term planned initiatives will have an impact on
how you view the risk and what type of recommendation you make. Some
findings may not be as serious if the related business process will drasti-
cally change or go away in the short term. One aspect to look for is how
definite the schedule for an initiative is. Often, planned initiatives are not
necessarily set in stone. For this information, it is worth asking management.
Client Response:
5. Other interviewee-specific questions — This is a placeholder for addi-
tional questions based on the client’s specific business requirements.
• Questions can be added here that are specific to the business based on
what you have learned about the company so far.
SECURITY-RELATED QUESTIONS
Most of the questions below are covered in more detail in other questionnaires in
the Appendices. The questions here are high level and are meant to elicit some
perspective from business process owners who have limited involvement with these
tasks. This perspective also helps validate whether processes are working as intended.
6. User ID administration: What is your role in users gaining access to
systems — e.g., approval authority?
Guidance:
User ID administration is a process that touches almost every-
one in the company. For this reason, it is good to get the perspective of
different people in the company to help determine what opportunities exist
to improve the user ID administration process.
Client Response:
7. Employee termination.
• What do you do if an employee reporting to you is terminated?
• What are you accountable for?
• Is there a documented process for terminations that you follow?
AU1706_book.fm Page 273 Wednesday, July 28, 2004 11:06 AM