Within a group a number of systems are hosted by some subsidiaries for other subsidiaries, where there is split responsibility for parts of the underlying ICS between the hosting provider, and the hosting client. For further information about GAIT basics please read the article “Rightsizing your IT ICS”. In the following illustration, the five GAIT phases are shown:
In order to perform the GAIT analysis correctly, this split responsibility has to be taken into account as follows:
- The GAIT PLC analysis (GAIT phase 1 and 2) has to be executed by the hosting client, as the client is responsible for his own PLCs, and therefore has the knowledge and personnel to perform this PLC analysis. The outcome will be a list of critical IT functionality used in these PLCs as well as the list of systems in scope.
- The GAIT phase 3 and 4 analysis, where the ITGCs are analyzed and determined will most likely be split between the hosting client and the hosting provider, as there will be different responsibilities on different layers.The main responsibility will always remain with the subsidiary which is responsible for the performance of ITGCs on the respective layer:
- As application layer responsibility most likely still stays with the hosting client, application layer GAIT matrix analysis will take place solely on the hosting client level. For example, user access ITGCs on application layer are usually in the responsibility of the hosting client, whereas backup or job controls on application layer will most likely reside within the hosting provider’s area of responsibility.
- Database and Operating System responsibility however is most likely located at the hosting provider, so the hosting provider needs to contribute his knowledge during GAIT phase 3 and 4. (Note that resources from the hosting provider need to be requested, allocated and committed for performing these GAIT phases up front.)
- The GAIT implementation has to take place as a joint activity on the hosting client and the hosting provider side, as some controls will be in the hosting client’s responsibility, others in the hosting provider’s responsibility. (Note again that hosting provider resources have to be requested, allocated, and committed for performing the GAIT implementation phase for hosted systems up front.)
The diagram below illustrates the relationship of hosted client and hosting provider during GAIT analysis.
Please refer to the official “GAIT Methodology” document released by the IIA for detailed information about the execution phases and the GAIT methodology itself.
Für weitere Informationen zum Thema Interne Kontrollsysteme, emfehlen wir unsere Präsenz Trainingskurse zu den folgenden Themen: