IT General Controls and Cybersecurity Audit Services

The Vendor is required to provide IT general controls and cybersecurity audit services for include:
- Overall assurance governance
• Perform risk-based audit planning aligned to city strategic, operational, and technology objectives.
• Apply internal audit assurance methodologies to evaluate both design and operating effectiveness of in-scope controls.
• Develop clear assurance conclusions supported by sufficient and appropriate audit evidence.
- Information technology general controls (ITGC)
1. IT governance – COBIT 2019 – edm01, edm03 and edm05
• Roles, responsibilities, oversight, and decision-making structures
• Alignment of IT governance to ccc objectives
2. Access management – COBIT 2019 – dss05 / apo13
• User provisioning and de-provisioning
• Privileged access management
• Logical access monitoring and review
3. Change management – COBIT 2019 – bai06
• Change approval and authorization
• Testing and migration controls
• Segregation of duties
4. IT operations – COBIT 2019 – dss01
• Backup and recovery processes
• Job scheduling
• Incident handling and escalation
5. Interface controls – COBIT 2019 – dss06
• High-risk system interfaces only
- Cybersecurity governance, risk management, and resilience
1. Govern (cyber governance)
• Accountability, oversight, and reporting
• Policies and governance structures
2. Identify (cyber risk management)
• Risk identification, assessment, and prioritization
• Integration with enterprise risk management processes
3. Protect
• Key preventive cybersecurity controls
• Control design and operational effectiveness
4. Detect
• Monitoring and alerting capabilities
• Effectiveness of detection mechanisms
5. Respond
• Incident response readiness
• Plans, roles, and execution capability
6. Recover
• Backup, disaster recovery, and resilience preparedness
• Recovery testing evidence
- Alignment to global internal audit standards (GIAS) cybersecurity topical requirement
• Governance and leadership accountability
• Integration of cybersecurity with enterprise risk management
• Policy adequacy and operational effectiveness
• Cyber resilience and preparedness
• Continuous improvement and lessons learned
- Penetration testing (supporting assurance only)
• External perimeter testing
• Limited internal or assumed-breach validation
• Application testing for one to two critical systems.