PI'OCGSS summary Access control process When hiring a new employee, no background check is performed. The company views everyone as ethical and honest. Prior to gaining access to the Critical system, an end user will request access via his or her supervisor. The supervisor will then acknowledge to the administration office for Critical that the end user is an authorized user and that the access that he or she is requesting is appropriate. In many cases, no record of the access request or approval is retained and the system does not record the date when access was granted. After the initial system access is granted, all further access requests are made directly by the EndUser and the administration office for Critical. When an employee no longer works for StellenTE K, his or her system access is deactivated. Process flow Members of the sales team have enduser access to the Critical system. This enables them to enter data in the Critical system daily to capture the items sold to their specific customers. Sales managers are granted access as powerusers and can enter data into the system for all customers. All members of the sales team receive quarterly bonuses based on the number of new customer accounts they create. When a new customer is created, the system automatically scans the other customer names looking for duplicates. If no duplicates are found, the account is marked \"new." In addition to connecting healthcare managers with their clients, StellenTEK also sells an exclusive line of health supplements. The system tracks the amount and location of each product sold. Every day, the inventory is replenished as necessary. There is a separation of duties between various departments. A summary of the products sold and the location is available every day using the corporate data warehouse. Some managers prefer to see their results in a paper report. Configuration management process Requests for software changes are made in the Rational ticketing tracker, which establishes a workflow for change approvers. All changes must be tracked in the Rational ticket tracker. Changes must be approved by the Change Manager (CM) prior to being assigned to a software developer. After development, changes are reviewed by the Change Control Board (CCB), which meets on a weekly basis, prior to being approved for production. As a note, all software testing is performed in the testing environment and then moved into the development environment. Testing is completed by comparing the software's functionality to the requirements. The Quality Assurance (0A) team allocates its time testing updates based on which updates are determined to be significant. After approval, the new version of the software is moved into the Production environment and end users can use the new software. During the CCB meeting, the change and the testing results are reviewed for the security impact and for the impact on the other systems. Changes must be approved by the CCB prior to implementation into production. This process requires a lot of coordination and takes some time. StellenTEK is in the IT business. so software updates cannot be delayed. The CCB review and approval process is sometimes skipped if the project is running behind