Table of Contents Table of Contents
Previous Page  289 / 499 Next Page
Information
Show Menu
Previous Page 289 / 499 Next Page
Page Background

This report is intended for use by the management of the Variable Annuity Life Insurance Company ("VALIC") and its subsidiaries.

VALIC Retirement Services Company ("VRSCO") and VALIC Financial Advisors, Inc. ("VFA"), its user entities, and the independent

auditors of its user entities, and is not intended and should not be used by anyone other than these specified parties.

Back to TOC

Click

VALIC

.com 82

Control Objective 13A

- Controls provide reasonable assurance that logical access to V-System is properly

authorized by VALICManagement.

Control Objective 13B

- Controls provide reasonable assurance that logical access to distributed systems including

SAP is properly authorized by VALICManagement.

VALIC Control Activities

Tests of Operating Effectiveness

Results of Tests

13.3 (13A, 13B) Oracle and SQL

database activity is monitored

daily to detect inappropriate

activity within the database.

Oracle

Inspected a sample of daily reports

to determine whether they were

appropriately reviewed.

No exceptions noted.

SQL

Inspected a sample of daily reports

to determine whether they were

appropriately reviewed.

No exceptions noted.

13.4 (13A) VALIC users are required

to use a password for mainframe

application access, have a

password that must be a

minimum of eight characters long

and include letters and at least

one embedded number, change

their password every 90 days and

have their user ID code revoked

after three failed log in attempts.

Inspected the password configurations

for V-System to determine whether

passwords were a minimum of eight

characters in length, had at least one

embedded number (alpha-numeric mix)

and letters, must be changed every 90

days, and three failed logon attempts

resulted in revocation of the user ID

code.

No exceptions noted.

13.5 (13A, 13B) Operating system

passwords are required,

must meet current policy and

standards which include a

minimum of eight characters

in length and must be changed

every 90 days.

VALIC Domain

Inspected the password configurations

for VALIC Active Directory to

determine whether a password is

required, password was a minimum of

eight characters in length and must be

changed every 90 days.

R-1 Core Domain

Inspected the password configurations

for R-1 Core Active Directory to

determine whether a password is

required, password was a minimum of

eight characters in length and must be

changed every 90 days.

No exceptions noted.

No exceptions noted.

13.6 (13A, 13B) Network domain

accounts that have been

inactive for more than 90 days

are flagged and disabled on a

monthly basis.

Inspected a sample of monthly

inactivity report listings. For all

users listed as active and who have

not logged into the network in the

past 45+ days, inspected evidence

to ensure the users were disabled

appropriately.

No exceptions noted.

IV. VALIC control objectives and controls, and PricewaterhouseCoopers LLP's tests of operating

effectiveness and results of tests

1 284 285 286 287 288 289 290 291 292 293 294 295 498-499  FlippingBook