Access Management
This control ensures only approved users can access systems.
What is user provisioning approval?
A formal request to modify an application or system.
What is a change request?
This control ensures systems can be restored after a failure.
What is backup and recovery?
A periodic review of users and their system access
What is a user access review?
This framework commonly includes ITGCs.
What is SOX?
Removing access promptly when an employee leaves the company.
What is deprovisioning / termination access control?
Testing that must occur before changes go to production.
What is user acceptance testing (UAT)?
Monitoring systems to detect failures or unusual activity.
What is job monitoring / system monitoring?
These individuals typically certify access during reviews.
Who are system owners or managers?
Documentation showing controls were performed.
What is audit evidence?
This principle ensures users only have access necessary for their job.
What is least privilege?
Approval required before migrating code to production.
What is management or CAB approval?
A documented plan for resuming operations after a disaster.
What is a disaster recovery plan (DRP)?
Frequency often expected by auditors for access reviews.
What is quarterly (or periodic)?
A weakness that could lead to a material misstatement.
What is a significant deficiency?
Logging in with something you know and something you have.
What is multi-factor authentication (MFA)?
The environment where developers should not have direct access.
What is production?
Required initial record for new systems at Disney
What is SNOW record/BAPPID?
Evidence showing inappropriate access was removed.
What is remediation documentation?
When controls are designed well but not operating effectively
What is an operating effectiveness failure?
A risk when one user can both create and approve transactions.
What is segregation of duties (SoD) conflict?
An unplanned fix implemented quickly due to a critical issue.
What is an emergency change?
Report used to verify third-party providers implemented appropriate security measures
What is a SOC report?
A common audit issue found during access reviews.
What is excessive or inappropriate access?
Independent testing of controls performed by auditors.
What is control testing?