Table of Contents Table of Contents
Previous Page  297 / 499 Next Page
Information
Show Menu
Previous Page 297 / 499 Next Page
Page Background

This report is intended for use by the management of the Variable Annuity Life Insurance Company ("VALIC") and its subsidiaries.

VALIC Retirement Services Company ("VRSCO") and VALIC Financial Advisors, Inc. ("VFA"), its user entities, and the independent

auditors of its user entities, and is not intended and should not be used by anyone other than these specified parties.

Back to TOC

Click

VALIC

.com 90

Physical Access

Control Objective 16

- Controls provide reasonable assurance that physical access to computer equipment,

storage media and program documentation is restricted to authorized individuals.

VALIC Control Activities

Tests of Operating Effectiveness

Results of Tests

16.1 Physical access to data centers

is restricted to authorized

individuals. Access is granted to

appropriate personnel based on

job responsibilities and must be

approved by a manager.

Inspected a sample of new access

granted to the data center and related

access request forms to determine

whether the access is granted to

appropriate personnel based on job

responsibilities and approved by the

manager.

No exceptions noted.

16.2 Upon termination, physical access

to data centers is revoked timely.

Inspected a sample of terminated

employees from the master access

card list to determine whether the

individuals’ access was removed from

the data center timely.

Exception noted.

For 1 out of 25 terminated employees

sampled, physical access was not

removed timely.

Refer to Section V for

management's response.

16.3 Users with access to secure

and sensitive areas within the

data center are reviewed on a

quarterly basis. Recertification

items (including modification or

deletion of access) that require

further review are addressed by

management in a timely manner.

Inspected a sample of user access

reviews to the data centers (secure

rooms) to determine whether access

was reviewed and changes were

appropriately processed.

Inspected changes to data center

access, identified as part of the

recertification, to determine whether

changes were performed as requested.

No exceptions noted.

No exceptions noted.

IV. VALIC control objectives and controls, and PricewaterhouseCoopers LLP's tests of operating

effectiveness and results of tests

1 292 293 294 295 296 297 298 299 300 301 302 303 498-499  FlippingBook