IT Audit Guidelines

An IT Audit of
CA Endevor
evaluates whether best practices for data security and integrity are in use.
ce18
An information technology (IT) audit of
CA Endevor
can determine whether best practices for data security and integrity are in use.
2
Generally, the purpose of an IT audit is to evaluate whether
CA Endevor
is safeguarding assets and maintaining data integrity. The IT auditor is the target audience for these guidelines. However, a wider audience can benefit from this documentation. That audience includes anyone who wants to understand the following concepts and procedures:
  • CA Endevor
    best practices for data security and integrity
  • How these best practices are implemented through product configuration
  • How to verify that best practices are implemented and used as recommended
The IT audit guidelines are presented in the following formats:
  • Video
    The video provides an overview of the recommended IT audit procedure, including best practices for data security and integrity, and explains why they are important.
  • Articles
    This article describes the audit procedure, audit resources, and audit areas. Sub-articles describe each audit area in detail and how to verify best practices.
  • Checklist
    The checklist helps the auditor determine whether best practices are being followed. The checklist can also serve to record the results of an audit.
The audit checklist is provided in PDF format only. You can view or download it here: IT Auditor Checklist for
CA Endevor
View the IT Audit Guidelines video here:

How to Perform an IT Audit of
CA Endevor
As an information technology (IT) auditor, you can perform an audit of a
CA Endevor
implementation to evaluate whether
CA Endevor
is safeguarding assets and maintaining data integrity.
CA Endevor
is highly configurable and certain features are critical to data security, integrity, and availability. An IT audit focuses on the audit-related aspect of those features. A separate checklist, which is attached to this article, can help you determine whether those audit areas are implemented and used as recommended.
To perform the audit, the auditor requires the assistance of the following roles:
  • The
    CA Endevor
    administrator for the implementation
    This role has the authority to customize the
    CA Endevor
    implementation and is responsible for monitoring and maintaining the implementation to ensure that it meets the software change management goals of the organization. For purposes of an audit, the
    CA Endevor
    administrator runs reports that show how
    CA Endevor
    is configured. Also, this role can explain the
    CA Endevor
    administrator practices that are related to how the audit areas are implemented and used.
  • The security administrator for the site
    This role configures the site security software to enforce data set and functional (action authorization) security. For purposes of an audit, the security administrator runs reports on the security package that show how the site security package is configured to support data set and functional security.
To perform an IT audit of an implementation of
CA Endevor
, we suggest that the auditor follows these steps:
  1. If you are not familiar with
    CA Endevor
    , read the following articles:
    • Provides a high-level product overview.
    • Provides details about the
      CA Endevor
      software development lifecycle, the inventory classification scheme, control data sets, and customization options.
  2. Contact the
    CA Endevor
    administrator who will help you with the audit. Observe them as they run the reports listed in the "Report Resources for an IT Audit" section of this article.
  3. Contact the site security administrator who will help you review the following security-related audit areas:
    • Data Set and Action Authorization Security
    • Control of Administration Files and Privileged Access
    Observe them as they run reports against the security package listed in the "Report Resources for an IT Audit" section of this article.
  4. Download or print the IT Auditor Checklist for
    CA Endevor
    PDF. The checklist lists questions that you should answer about each audit area. Use the checklist to record any anomalies.
  5. Read the "Best Practices for Data Security and Integrity" section of this article, and the description for each audit area provided in this article. These descriptions can help you to understand the audit questions in the checklist.
  6. Read the sub-article for the first audit area. This can help you understand the checklist for the audit area. Answer the corresponding questions in the checklist. Refer to the reports provided by the administrators to determine if the audit area is implemented and how it is used.
  7. Repeat step 6 for each audit area.
  8. After you have reviewed all the audit items in the checklist, go through the checklist with your
    CA Endevor
    ® SCM administrator:
    • Discuss with the administrator any differences between what you found and the settings and practices that are recommended in the checklist.
    • Discuss with the administrator those questions in the checklist that you could not answer by reviewing the reports.
Report Resources for an IT Audit
The
CA Endevor
administrator and the site security administrator can run reports that you can use to verify most configuration settings.
CA Endevor
Configuration
Observe the
CA Endevor
administrator as they run the following reports. These reports provide some of the information that you need to complete the audit.
  1. A Site Options report, which displays the following information about how
    CA Endevor
    is configured at the site.
    1. Site Options table - Information extracted from the Defaults table C1DEFLTS.
    2. Site Symbols table Symbols - Information extracted from the Site Symbols table ESYMBOLS.
    3. Optional Features Table - Information extracted from the Optional Features table ENCOPTBL.
    4. Active
      CA Endevor
      User Exits - Information extracted from the Exits table C1UEXITS.
    5. External Security Interface (ESI) Table - Information extracted from the Access table BC1TNEQU.
  2. CONRPT07 System Definition report, which lists information about Systems and their Subsystems.
  3. CONRPT10 Approval Group Definition report, which lists information about the approver groups defined in the Environments.
  4. CONRPT11 Approval Group Usage report, which lists all Environments and their inventory areas with the approver groups that are related to each inventory area.
  5. System Management Facility (SMF) reports— Observe as the administrator runs the following reports, which report on security violations (access attempts) and Element action activity. These reports can be requested for a specific inventory area or for all activity.
    1. CONRPT40 Security Violation Profile, for each System requested, this report gives a detailed account of each security violation that occurred. Specifically, this report lists each attempt -- by any user -- to perform an unauthorized action.
    2. CONRPT41 Security Violation Summary, for each System requested, this report summarizes the security violations that occurred and provides a total count for each
      CA Endevor
      action that logged a violation.
    3. CONRPT42 Element Activity Profile, details each action performed against the Elements within a particular System, Subsystem, Type, and Stage. Using this report, for example, you can determine exactly which Elements were moved from Stage 1 to Stage 2, or which Elements were retrieved.
    4. CONRPT43 Element Activity Summary, summarizes the actions that were performed against the Elements within a particular System, Subsystem, Type, and Stage, and provides totals for each action. Using this report, for example, you can see how many Elements were moved or how many Elements were retrieved.
Site Security Software Configuration
Observe the security administrator as they run reports against the security software package to show security settings. You can use these reports when you review the following audit areas:
  1. Data set and action authorization security
  2. Control of administration files and privileged access
Use the reports to verify the following security settings:
  1. The security software profiles that protect the
    CA Endevor
    data sets and whether update authority has been granted to the alternate ID for those data sets.
  2. The following critical files are only accessible by administrators:
    1. All the files identified within the C1DEFLTS table
    2. System processor output libraries
    3. Type definition base, delta, source output libraries
    4. Processor output files
  3. Who has access to which Environments, Systems, Subsystems, and Types.
  4. The security software profiles that the protect the pseudo data sets.
Best Practices for Data Security and Integrity
CA Endevor
is highly configurable with many optional features and settings. Certain features are critical to data security, integrity, and availability. These features must be properly configured, administered, and used to be of benefit. The parts of these features that are important to an audit are referred to as
audit areas
and are the focus of the IT audit guidelines article. The following audit areas are listed in relative order of importance.
  1. Data Set and Action Authorization Security
  2. Control of Administration Files and Privileged Access
  3. System Management Facility (SMF) Recording
  4. Backup and Recovery
  5. Package Facility
  6. Footprint Synchronization 
  7. User Exits
  8. Change Control Identifiers (CCIDs) and Comments
  9. Element Registration