Amtrak 2015 Annual Report Download - page 58

Download and view the complete annual report

Please find page 58 of the 2015 Amtrak annual report below. You can navigate through the pages in the report by either clicking on the pages listed below, or by using the keyword search tool below to find specific information within the annual report.

Page out of 61

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61

Appendix A – Material Weaknesses in Internal Control
Over Financial Reporting (continued)
1607-2003957 56
Recommendation:
Improvements are necessary in the controls over monitoring of compliance with information
security policies, system access and unauthorized system access and the prevention of and
monitoring for inconsistencies in access rights allowing a potential lack of segregation of
conflicting duties.
An improved governance-based approach should result in strengthened control, monitoring, and
oversight processes that will enhance the overall integrity of Amtrak’ s information systems.
Examples of such oversight processes that should be improved include the following:
Reviewing and evaluating identified deficiencies and instances of noncompliance with
stated Amtrak policies and guidance, including the documentation of conclusions and
evaluating their impact on the financial reporting.
Consistent, current and complete system security documentation prepared by all system
owners.
Follow relevant Amtrak guidance during the review and approval of all program changes.
Documentation should be prepared and retained for all phases of the change management
process.
Allow for appropriate version control throughout all phases within the change management
process, including consideration of the validation of completeness and accuracy of change
listing populations.
Consider the feasibility of configuring applications and supporting infrastructure to meet
the required security and authentication parameters as defined in the Company’ s policy and
procedure and adhering to the hardening standards or, where relevant, perform a risk
analysis of non-adherence to defined policy standards and document management-
approved exceptions to those standards. Monitoring controls should be implemented to
timely identify and rectify areas of non-compliance.
Follow relevant Amtrak policies related to the removal of user access, assignment of
privileged access rights and segregation of incompatible access rights for all significant
applications and supporting infrastructure.
Consistently execute the periodic logical user access review process and the retention of
relevant documentation evidencing the completeness and accuracy of data used in the
review, the completeness of the review itself, the timely resolution of identified
discrepancies and the mitigation of risk.