Audit and Control Checklist

A comprehensive checklist is essential for information security audits and controls. The following links show you various checklists that you can use to monitor, audit and control the technical as well as management aspects of your security:

The checklist is extracted from the book ("Information Security and Auditing in the Digital Age", A. Umar, NGE Solutions, 2004). It can be customized and expanded/reduced to take into account the following factors: type of company, size of company, specialized situations such as international trade. The checklist is written so that it can be filled out by an auditor. For each item, the answer may be yes, no, or some explanation (e.g., not needed, covered by another category, etc). After reviewing this checklist as part of an audit, the auditor would prepare a risk assessment report to highlight the main risk and suggest future steps.

Color coding

The segments in Customized Checklist are color coded to represent the following:

Organizational Controls and Security Administration

These controls are intended for the entire firm and address the organizational structures, policies and procedures.

Documentation of the Information Systems Strategic Plan

  • Management has developed and implemented long and short term plans that identify and fulfill the organizations strategies ____________________
  • Information systems security is adequately addressed in the organizations long- and short-term plans __________________________
  • The management of the information systems security was established and applied using a structured approach ___________________________________

Information Security Policies and Procedures

  • Information security policies exist ___________
  • These policies are adequate to address Privacy, Integrity, Authorization, Authentication, and Availability (PIA4) in the following areas (circle the ones that are NOT adequately covered by the policies):
    • Web pages
    • Firewalls
    • Employee Surveillance
    • Electronic Banking
    • Viruses
    • Encryption
    • Digital Signatures/Certificates
    • Contingency Planning
    • Laptops/Portable
    • Logging Controls
    • Internet/Intranet
    • Privacy
    • Emergency Response
    • Micro-computers
    • LAN
    • Passwords
    • E-mail
    • Data Classification
    • Telecommuting
    • User Training
    • Ethics
  • Procedures and practices are used by the ISSO to monitor compliance with the above policies____________________
  • Ensure the ISSO has been given the positional authority to address policy violations, or reports to an appropriate level of management __________
  • Documented actions taken to address recent policy violations ___________

Risk Assessment/Ongoing Analysis

  • A framework exists to assess information security risks ________________
  • A methodology adopted for risk assessment ___________________
  • Responsibility assigned for periodically performing risk analysis ___________
  • Risk assessment methodology adequately defines essential elements of risk, provides a qualitative/quantitative measurement of risk, and addresses acceptable risk conclusions ________
  • Risk assessment is appropriately reported to senior management _____________
  • Action plan allows for the acceptance of the residual risks (risks that cannot be controlled) by the management ____________
  • Adequate insurance coverage for the residual risks has been obtained __________

Information Security Organizational (ISSO) Structure

  • The reporting structure and placement of the ISSO function within the organization is defined ___________
  • The position is responsible to the appropriate level of management and is appropriately separated from the IS department ________________
  • Management has defined and implemented security levels related to the sensitivity of specific corporate information _______________

IS/Organization Relationship

  • A planning or steering committee exists to oversee the information services functions, including security ____________________
  • Appropriate level of management comprising the committee ________________
  • Assigned the responsibility for assuring logical and physical security of organizational informational assets to an information security officer, whom reports to senior management ________________________
  • The role of the ISSO is defined at an organization-wide level ___________
  • Organization uses the concept of "data ownership" to assign responsibility for specific corporate information _______________
  • The role of the ISSO specified in the coordination and collection of information as required from internal and external sources _____________

Information Security Staffing

  • Position descriptions exist for the information security position ____________
  • Position descriptions consistent with the ISSO responsibilities ____________
  • Staffing levels adequate in the information security environment ____________

Compliance Requirements

  • External compliance considerations (e.g., government regulations) documented (crucial for healthcare and government agencies) _______________
  • Impact of external relationships (e.g., partnerships) on compliance requirements, has been assessed _____________
  • Appropriate and timely corrective actions have been taken for information security deficiencies in compliance examinations, regulatory reviews, and/or audits conducted so far ________

Physical and Environmental Security

Secure Area

Objective is to prevent unauthorized access, damage and interference to business premises and information.

  • Security Perimeters have been established to protect physical and IT assets (i.e., buildings with doors) __________
  • Protected entry controls, such as the following, have been established to ensure that only authorized personnel are allowed access _______________
    • Badges
    • Limited access to buildings
    • Guards on entrance doors
    • Properly secured and tamper proof wiring
    • Alarm doors
  • Suitable intruder detection systems are installed for this area __________
  • Additional controls established for personnel or third parties (i.e., aware of activities in a secure area on a needs to know basis only) ________________
  • Controls are in place for the delivery and loading areas __________
  • Access from outside is restricted to formally authorized and identified personnel only _______
  • External door is secured when the internal door is opened ______________
  • Packages checked for potential hazards before it is moved from the holding area to the point of use ___________

Equipment Security

Objective is to prevent loss, damage or compromise of assets and interruption to business activities.

  • Equipment is sited to reduce minimum unnecessary access into work areas _______
  • Controls are in place to minimize the risk of theft, fire, explosions, smoke, water, dust, vibration, chemical effects, electrical supply interference and electromagnetic radiation _________
  • A policy exists towards drinking, eating and smoking in proximity to information processing facilities _________
  • Suitable electrical supplies are available should there be a power failure (i.e., backup generator, UPS etc) ____________________
  • Controls exist to ensure that power and telecommunications cabling is protected from interception or damage ___________
  • Equipment maintenance is done periodically ______________
  • Only authorized maintenance personnel carry out repairs and service _______
  • Records kept of all suspected or actual faults ________________
  • Adequate insurance in place to protect equipment taken off -site ________________
  • Controls on authorized equipment exist for off site ____________
  • Sensitive information securely destroyed from retired equipment _______
  • Name of the contractors recorded who get the retired equipment _________
  • Fixed hard disks checked to ensure that sensitive data and licensed software have been removed or overwritten prior to disposal __________

General Controls

Objective is to prevent compromise or theft of information and information processing facilities.

  • A Clear (or Secure) Desk Policy or a Clean screen policy exists _________
  • Other measures to reduce the risk of unauthorized access, loss/damage to information during and outside normal working hours ___________
  • Procedures in place to prevent unauthorized removal of property __________
  • Spot checks in place _______

Operation Management

Production procedures and responsibilities

Objective is to ensure the correct and secure operations of information processing facilities.

Operating Procedures

  • Documented procedures exist that include instructions for each job ________.
  • Procedures include the following:
    • Processing and handling of information __________
    • Scheduling requirements _____________
    • Instructions for handling errors or other exceptional conditions _______________
    • Support contacts _________________
    • Special output handling instructions ____________
    • System restarts and recovery procedures. _________________
    • Close down procedures _________________
    • Back-up procedures __________________
    • Computer room safety procedures _____________

Production Change Control

Production programs should be subject to strict change control. The following items should be considered:

  • An audit log containing all relevant information is retained _________
  • Identification and recording of significant changes _____________
  • Assessment of the potential impact of such changes _____________
  • Formal approval procedure for proposed changes ______________
  • Communication of change details to relevant persons _____________
  • Identification of responsibilities for aborting and recovering from unsuccessful changes ______________

Incident Management Procedures

a) Procedures for security incident including

  • Procedures for information system failures and loss of service __________
  • Denial of service _______________
  • Errors resulting from incomplete or inaccurate business data. ___________
  • Breaches of confidentiality ______________

b) Actions to recover from security breaches and correct system failures that state: :

  • Only authorized staff are allowed access to live system and data. __________
  • All emergency actions are documented in detail ________________
  • Emergency action is reported to management _________
  • Integrity of business systems and controls is confirmed with minimal delay. ________

Segregation of Duties

  • Identification of activities which could be basis of fraud and/or crime
  • To avoid collusion, duties have been segregated to ensure that 2 or more persons are involved

Separation of Development and Production Facilities

  • Separate facilities for development and production software __________________.
  • Different logon procedures for test and production systems to reduce risk of error and production problems _______

External and Outsourced Facilities Management

  • Appropriate controls agreed with contractors and service providers ___________
  • Sensitive or critical applications outsourced ___________
  • Implications of outsourcing on business continuity planning understood _________
  • Security standards ad the process for measuring compliance specified for service providers _________________
  • Specific responsibilities and procedures specified to monitor all security activities and incidents with service providers ______________.

System Planning and Acceptance

Objective is to minimize the risk of systems failure.

Capacity Planning

  • A capacity plan exists __________________________
  • Critical components are included in the capacity plan ______________________

System Acceptance

  • Acceptance criteria for new information systems, upgrades and new versions has been established ________
  • Tests of the systems specified prior to acceptance ______________.
  • For major new development, the operations function and users consulted at all stages in the development __________
  • Requirements and criteria for acceptance include the following:
    • Performance and computer capacity requirements _________
    • Error recovery and restart procedures and contingency plans ________
    • Testing of operating procedures to defined standards _____________
    • Agreed set of security controls for new systems __________
    • Effective manual procedures in case of automation failure
    • Business continuity arrangements for new systems
    • Testing to show that the new system will not adversely effect existing systems particularly at peak processing times ________
    • Testing of the new system to understand security implications ___________

Protection Against Malicious Software

Objective is to protect the integrity of software and information

Controls against malicious software should include:

  • Policy prohibiting the use of unauthorized software ___________
  • Policy to protect against obtaining files and software from untrusted sources _____.
  • Installation and regular update of anti-virus detection and repair of software ______
  • Regular reviews of the software and data content of systems supporting critical business processes __________
  • Procedures for checking files or programs for viruses before use _________
  • Checking electronic mail attachments and downloads for malicious software before use ____________
  • Procedures for virus protection on systems, training in their use, reporting and recovering from virus attacks _____________
  • Business continuity plans for recovering from virus attacks ________________
  • Procedures to verify all information relating to malicious software before issuing warning bulletins _____________

Housekeeping (Traditional, Mainframe Systems)

Objective is to maintain integrity and availability of information processing and communication services.

Information Back-up

  • Back-up arrangement documented in restoration procedures _____________
  • Back-up information stored in a remote location ___________
  • At least 3 generation or cycles of back-up information is retained for important business applications ___________________
  • Back-up/restore procedures tested to ensure that they will work in emergency situations ________

Operator Logs

  • Operation logs of the system activities exist _______
  • Logs contain critical data (e.g., start finish times, system errors and corrective action taken, name of the person making the log entry) __________
  • Logs are subject to regular, independent checks against operating procedures ______

Fault Logging

  • Fault logs show that all have been satisfactorily resolved ______________
  • Corrective measures exist to ensure that controls have not been compromised by personnel ________
  • Actions taken to handle faults are fully authorized ___________

Media Handling and Security

Objective is to prevent damage to assets and interruptions to business activities. Media should be controlled and physically protected.

Management of Removable Computer Media

Objective is to protect removable media such as tapes, disks, cassettes and printed reports.

  • Contents of any re-usable media with highly sensitive information that are to be removed from the organization are erased _______________
  • Authorization is required and an audit trail is kept of all highly sensitive removable media ______________
  • Sensitive media stored in a safe, secure __________________________
  • Procedures for disposal of sensitive media _______________________

Information Handling Procedures

  • Procedures in place for handling and storing of sensitive information
  • Controls in place for:
    • Handling and labeling of all media _________
    • Access restrictions to identify unauthorized personnel _____________
    • Maintenance of a formal record of the authorized recipients of data __________
    • Ensuring that input, processing, and output is validated and verified for sensitive applications _____________
    • Protection of spooled data is at a level consistent with sensitivity _____________
    • Storage of media in secure areas ____________
    • Keeping the distribution of data to a minimum ________________
    • Review of distribution lists and lists of authorized recipients at regular intervals.

Security of System Documentation

  • Systems documentation stored securely ___________________
  • The access list for systems documentation kept to a minimum ________________
  • System documentation not held on a public or unsecure network ______________

Enterprise Level Access Controls

Business Requirement for Access Control

Objective is to control access to Information

The access control policy should state:

  • Security requirements for each application ____________
  • Standard user profiles for common categories of job _______________
  • Management access rights in a network environment _________________

User Access Management

Objective is to prevent unauthorized access to information systems.

Access Set-up/Removal/Review

  • Procedures and standards exist to grant access to new hires, department transfers, vendors, and consultants _____________
  • Procedures and standards to remove access from terminated employees, transferred employees, and discontinued vendors _____________
  • The access lists are reviewed for the sensitive systems _______________
  • Someone has the "ownership" of the user access reviews ________________

User Registration

  • A formal procedure exists for granting access to all information systems and services
  • Use of unique user ID so they are responsible for actions ________________
  • Separate approval for access rights from management ___________________
  • Checking that the access given is appropriate for the business purpose giving users a written statement of their access rights __________________
  • Requiring users to sign the statement so they understand the conditions of their access _________________________
  • Maintaining a register of all persons registered to use the service ______________
  • Periodically checking for removing redundant User Id's from access ____________
  • Ensuring that redundant user IDs are not issued to other users _________________

Privilege Management

  • Controls in place to disallow un-authorized users to override system or application controls ____________
  • A formal management process in place re the allocation of passwords ___________
  • Review of user access rights done reviewed on a regular basis, i.e., every 6 months ____________________

User Responsibilities

Objective is to prevent unauthorized user access.

  • Users advised of the security practices to be followed re Passwords (i.e., keep confidential, avoid keeping a paper record, do not share passwords) _____________
  • Users advised to ensure that unattended equipment has appropriate protection:
    • Terminate active sessions when finished ________________
    • Logoff mainframe systems when session finished _________________
    • Secure PC's or terminals by a key lock or password access when not in use ______

System Development and Maintenance

Security Requirements of System

  • Organization requires that security is built into the information system __________
  • Security requirements analyzed and specified at the design state of new system or enhancement to existing system _______________

Cryptographic Controls

Objective to protect the confidentiality, authenticity or integrity of information.

  • Policy exists on the use of cryptographic controls (i.e., encryption) for the protection of sensitive information _______________
  • Digital signatures are used for authentication where needed ___________________
  • Asymmetric encryption used where appropriate ___________________
  • Non-repudiation services used where needed to resolve disputes involving the use of a digital signature on an electronic contract or payment ______________
  • Proper key management system such as PKI used ________________

Security of System Files

Objective is to ensure that IT projects and support activities are conducted in a secure manner.

Controlof Production software

  • Updating of operational program libraries is only performed by the nominated librarian _________________
  • Operational systems only hold executable code (source code not included for security purposes) _________________
  • Executable code is not implemented on operational system without evidence of successful testing _______________
  • An audit log is maintained of all updates to operational program libraries ________
  • Previous versions of software is retained as a contingency measure _________
  • Vendor supplied software is maintained at the level supported by the supplier _____

Protection of System Test Data

The following are put in place to protect production data when used for testing:

  • The access control procedures, which apply to production application systems, also apply to test application systems __________________
  • Separate authorization needed each time production information is copied to a test application system _______________________
  • Production information is erased after testing is completed _________________
  • Copying and use of production information is logged for audit trails __________

Access Controls to Program Source Library

The following controls are in place to protect potential corruption of computer programs in the source library:

  • Program source libraries are not held on the operational systems ______________
  • A program librarian has been be assigned for all sensitive applications ___________
  • IT support staff does not have unrestricted access to program source libraries ______
  • Programs under development or maintenance are not held in production program source libraries _____________________
  • Updating of program source libraries and issuing of program sources to programmers is only performed by the authorized librarian __________
  • Program listings are held in a secure environment _____________

Security in Development and Support Processes

Objective is to maintain the security of application system software and information.

  • Change control procedures are in place to ensure security and control procedures are not compromised __________________
  • Periodic technical reviews are completed of all operating changes ___________
  • Restrictions exist on changes to vendor software packages (e.g., vendor consent before changes, someone who will maintain future maintenance) __________
  • Protection in place for backdoors and Trojan code through careful buying practices (i.e., buying programs from reputable vendors) and inspections of source code before production use _____________

Business Continuity Management

Objective of business continuity management is to counteract interruptions to business activities and to protect critical business processes from the effects of major failure or disaster.


Compliance with Legal Requirements

Objective is to avoid breaches of any criminal and civil law, statutory, regulatory or contractual.

  • Intellectual property rights, copyrights, and trademarks are complied with through procedures __________________________
  • Proprietary software is registered under license agreements that limits the use of the products to specified machines _____________
  • Safeguarding of organizational records is in place to ensure their use within regulatory retention periods ___________________
  • Cryptographic keys associated with encrypted archives or digital signatures are kept securely ____________________
  • Data protection and Privacy Laws are adhered to _________________
  • A data protection officer has been assigned _______________
  • Cryptographic controls have been implemented which include:
    • Import and/or export of computer hardware and software for performing cryptographic functions _________________
    • Import and/or export of computer hardware and software which is designed to have cryptographic functions added to it _________________________
    • Mandatory and discretionary methods of access by the countries to information encrypted by hardware or software to provide confidentiality of content ________

Reviews of Security Policy and Technical Compliance

Objective is to ensure compliance of systems with organizational security policies and standards:.

  • Compliance with security policy is reviewed periodically ____________
  • Technical compliance is reviewed periodically through examination of production systems controls ______________
  • Naming standards and application codes reviewed for compliance ______________
  • Design of the system is documented __________________
  • Regular design reviews and document reviews are held ____________
  • Existing accounts, products and services are documented _____________
  • Change control standards are documented and reviewed periodically for compliance and enforcement ___________________
  • Walkthroughs held to validate the flow of emergency changes ______________
  • Manual and automated controls are reviewed periodically to ensure they are working as intended by management ____________________

Application Controls

Application controls concentrate on individual (usually sensitive and critical) applications and encompass the whole sequence of application processing.

Application Access Controls

Objective is to prevent un-authorized access to information held in application systems.

  • Access controls are in place to ensure users are restricted to Read, Write, Execute, Delete based on the organizational information access policy _____________
  • Organization has a dedicated (isolated) computing environment for highly sensitive systems _________________________

Exchanges of Information and Software

Objective is to prevent loss, modification or misuse of information exchanged between organizations.

  • Information and software exchange agreements verified before exchange of critical information and software between organizations _______________
  • E-commerce security in place to protect from threats such as fraudulent activity, contract dispute, and disclosure or modification of information _____________
  • Security of sensitive electronic mail is enforced through packages such as PGP, MIME, or others _______
  • Security of electronic office systems (e.g., word documents) is enforced through guidelines, policies, and technologies _______
  • Publicly available systems are protected through policies and technologies _______
  • Security of media in transit is enforced through:
    • Reliable transport/courier company used ___________________
    • Packaging to protect the contents from physical damage _____________
    • Special controls to protect sensitive information (i.e., use of locked containers, delivery by hand, tamper evidence packaging, splitting of the consignment to take different routes, use of digital signature and confidential encryption) _____________

Input, Output and Processing Controls in Application Systems

Objective is to prevent loss, modification or misuse of user data in application systems.

  • Data validation (input edit) is in place to ensure that data input is correct and appropriate before processing ________
  • Validation checks are incorporated into systems to detect corruption by processing errors or through deliberate acts _______________
  • Authorization controls are in place to verify the authority of input providers _______
  • Data conversion controls are in place to minimize conversion errors as data is transcribed from one form to another __________
  • Checks and controls are in place to reconcile data file balances after transaction updates and software download/upload _________________
  • Application processing controls are in place to include the following:
    • Matching controls that compare the input data with information held on system files. _______________
    • Processing edits to verify for reasonableness or consistency during processing of applications__________
    • Control totals during processing to reconcile the input control totals with the totals of items processed _______________
  • Data produced by an application system is validated to ensure the processing of stored information is correct. This validation may include:
    • Checks to test whether the output data is reasonable ____________________
    • Reconciliation control counts to ensure processing of all data ________________
    • Providing sufficient information for a reader or subsequent processing system to determine the accuracy and completeness of the information _____________
    • Procedures for responding to output validation tests _________________
    • Identifying the personnel involved in the data output process ____________
  • Periodic synching and checking of outputs is done with actuals _______________
  • Message authentication is implemented in hardware or software for sensitive message exchanges ________________
  • Message authentication is required where needed _____________________

Controls for XML-based Applications

This is a new area of work in which the XML document itself but also the DTD are also properly controlled.

  • Sensitive XML documents are encrypted by using XML Encryption, XML Signatures or other suitable schemes _______________
  • DTDs of sensitive XML documents are properly controlled so that only authorized personnel can update them ___________

Application and Shared Data Security Controls

  • Additional sets of passwords and security restrictions are in place for sensitive applications __________
  • Additional sets of passwords and security restrictions are in place for sensitive applications __________
  • Security profiles have been created to allow different people different access (e.g., online users, medical record processing, etc) ___________:
  • These profiles are established and maintained by a data security system __________.

Controls on Mobile and Web Services Applications

The objective is to properly control the mobile client, Web tier, and the back-end transaction control issues for mobile applications.

  • Mobile clients are authenticated before they can invoke applications ___________
  • Security checks are done at the wireless gateway (e.g., WAP Gateway) __________
  • Transactions have proper controls for remote invocations _________________
  • Proper controls for Web Services applications are in place:
    • Services defined with WSDL have been properly checked ______
    • Services advertised through UDDI are properly checked __________

Network Security Controls

Objective is to ensure the safeguarding of information in networks and the prevention of the supporting infrastructure.

Network Access Controls

Objective is protection of networked services:

  • There is a security policy concerning the network and network services in the enterprise _____________
  • Policy indicates the network and network services allowed to be accessed, authorization procedures for determining who is allowed access to which networks and networked services ____________
  • Only restricted paths (e.g., dedicated and/or encrypted lines, security firewalls, limited menu and submenu options for users) allowed to sensitive databases and programs _________
  • User authentication for remote users for external connections _____________
  • Segregation of networks (separate logical network domains, firewalls) is in place __________
  • Network connection controls exist for electronic mail, file transfers, interactive access, etc. ________________
  • Network routing controls exist for isolating networks and preventing routes to propagate from the network of one organization into the network of another ______________
  • Public Internet access used to access corporate resources ______________
  • VPN used for external network access _______________
  • A warning message is initiated for users accessing the proprietary network. The wordings may be "You have connected to a proprietary system. Only authorized users may access this system. Access by unauthorized individuals is prohibited and will be prosecuted to the full extent of the law. This system is monitored for unauthorized usage." _____________

Network Firewalls and Controls

  • A firewall policy is in place ______________
  • Firewall does the following type of filtering:
    • Packet filtering ________________
    • Application filtering______________
    • File transfer filtering _______________
    • Other filters (specify) ___________
  • Firewall rules are kept in a secure area and can only be modified by authorized personnel _______________
  • Responsibility for network firewall security is separated from computer operations where appropriate ______________
  • Responsibilities and procedures for the management of remote equipment has been established ______________
  • Special controls have been established for confidentiality and integrity of data passing over public networks ______________

Remote Access Service (RAS) Controls

  • Remote Access Services (RAS) is installed on the server being reviewed _______
  • Remote access authorization is granted based on corporate standards ____________
  • Remote access is granted within the job function ___________
  • Encryption has been set on all RAS logon and authentication information ________
  • Remote access users are monitored and reviewed ___________

Server Platforms Controls


Most organizations at present have servers that are dispersed to different organizational units. Some of these servers are used for departmental or regional computing. For example, a regional office in Atlanta may have a server that handles all the applications and databases at Atlanta. Some servers are used for specialized purposes such as email servers, portal servers, database servers, etc. Although the overall administrative controls discussed previously apply to these servers, the following checklists are intended to assure that these servers are also under proper controls. Some checklists will appear to be redundant with previous lists but they have a different purpose controls on servers and their compliance to the corporate standards and policies. This is a general procedure that can be and should be customized for different types of server platforms such as Windows NT, XP, 200x, Linux, Unix, and others.

Server Security Administration

  • Someone is responsible for operating system administration and maintenance for the platforms ______________
  • Administrators are made aware of system standards and Information Security Standards ______________
  • System and security administration procedures have been formally documented and up-to-date ____________________
  • The following standards are being followed:
    • A standard naming convention is being used _____________________
    • Each user is assigned a unique user id ____________________________.
    • Group IDs and shared/generic account should not be used __________________.
    • The system has been configured to authenticate all users through a valid ID and password
  • Procedures are in place to review server configuration using commercially available tools _________
  • Procedures are in place to ensure that system level accounts are disabled and/or removed for terminated employees ___________________
  • Procedures are in place to ensure that user system access rights are appropriately modified for transferred employees __________________
  • Human Resources department provides security administration personnel with periodic reports of terminated and transferred employees ________________
  • Global password rules have been established by setting appropriate account policies. Examples of the rules are:
    • Minimum Password Age (allow changes in 1 day)
    • Maximum Password Age(60 days)
    • Minimum password length (6 characters)
    • Account Lockout (allow 3 bad attempts)
    • Account Lockout (reset count in 1440 minutes)
    • Lockout Duration (Forever)
    • Password History (Remember 3 passwords)

Monitoring System Access and Use

Objective is to detect unauthorized activities.

  • Audit logs of event logging is being kept for an agreed period ______________
  • Audit logs contain User Id's. dates & times for logon, logoff, terminal identification or location if possible, records of successful and rejected systems, data, and other resource access attempts ________________
  • Procedures are set for monitoring the use of information processing facilities ______
  • Results of the monitoring are reviewed regularly to assess risk factors ___________
  • System clocks are reviewed to ensure accuracy (correct setting of computer clocks is important to ensure the accuracy of audit logs) _____________________

Operating System Access Controls

Objective is to prevent unauthorized computer access.

  • Automatic terminal identification in place to authenticate connections to specific locations and to portable equipment _______________________
  • Logon procedure not display system or application identification until logon successfully completed ___________________
  • A general notice is displayed that the computer should only be accessed by authorized users __________________________
  • Number of unsuccessful logon attempts is limited to 3 _______________
  • Unsuccessful attempts are recorded rigorously _______________________
  • The password management system:
    • Enforces the use of individual passwords to maintain accountability ___________
    • Allow users to select and change their own passwords _______________
    • Enforces a choice of quality passwords ___________________
    • Enforces password changes periodically (e.g., passwords expire once a month or twice a year) ___________
    • Stores password files separately to application system data _______________
    • Stores passwords in encrypted form ________________________
    • Alters default vendor passwords following installation of software ____________

User Accounts

  • Guest account has been disabled ___________________
  • Administrator account has been renamed to stop intruders from accessing this account ________
  • Strong password has been set for the administrator accounts _____________
  • Administrator has his unique account assigned to only him, and not shared by other administrators __________________
  • Logon scripts are secured with restricted access permission ________________
  • User is required to change the password at the time of initial logon ______________
  • Length of time restrictions are placed on system accounts provided to contractors and temporary workers ____________________


  • A structure exists to group user IDs by department or job functions in order to be efficiently administered by security _______________________________
  • The rights have been assigned to the global groups and the group membership and privileges are appropriate _______________________
  • The rights have been assigned to the local groups. Verify that group membership and privileges are appropriate _______________________
  • There is a business purpose for each global group _____________________
  • There is a business purpose for each local group _________________________
  • The number of users with privileged access is limited ____________________

User Rights

  • Standard user access rights (read, write, execute) specified _________
  • Any user given rights outside standard require special authorization _________
  • Periodic review of user access rights in place to ensure that access rights remain commensurate with user job responsibilities ________________
  • Audit software is used as part of the regular reviews _____________

System Registry Security

  • File and directory permissions are appropriate for groups with access _______
  • Permissions set for the critical Registry keys are configured to recommended standards __________

Operating System Configuration

  • Formal procedures are in place over the installation of new servers to ensure the consistency of operating system configuration settings throughout the processing environment ______________
  • Formal standards and procedures are in place over the implementation of operating system upgrades _____________
  • Operating system installations/upgrades are thoroughly tested and hardened before being loaded into the production environment ___________
  • Fallback procedures are in place for operating system upgrades ______________
  • Controls are in place to ensure that operating system security configuration changes are authorized and approved ___________________
  • Records are maintained to document all modifications and fixes to operating system security ___________________
  • Secure passwords for predefined system accounts (i.e., Administrator, Guest, etc.) are assigned immediately upon installation or upgrade _____________
  • Powerful system utilities that assist system administrators (i.e., disk management, system registry editing, etc) are appropriately restricted to authorized system personnel only _____________
  • Appropriate trust relationships have been established based on corporate standards __________
  • Formal standards and procedures exist over the configuration of security at the directory and file level ____________
  • Key system directories are secured __________________
  • Access to key system directories is restricted to system administration personnel _____________
  • Permissions assigned to shared resources within the environment have been restricted _______________

File and Directory Protection

  • Critical production application directories, subdirectories, and files have been identified _________
  • Critical directory and file permissions are set based on corporate standards ___________
  • Users are not granted access to modify key system programs _____________


  • Systems have been configured to log audit events such as:
    • Log-on and log-off activity (failure) ________
    • Security policy changes (failure) __________
    • Restart and Shutdown (failure) ___________
  • System audit log files are secured __________
  • Audit logs are backed up on a regular basis _______
  • Audit logs are reviewed by appropriate security/system administration personnel on a regular basis __________________
  • Escalation procedures are in place to ensure that detected security events are appropriately investigated in a timely manner __________________
  • Reports are produced to evaluate trends in the audit log information ______________
  • Procedures established to prevent, detect, and recover from computer viruses _________
  • Invalid attempts to exercise administrative rights are tracked _______________

Server Backup Recovery

  • Backup and recovery procedures are in place _________________

Server Physical Security

  • Critical servers are physically secured from unauthorized access.

Additional IT Infrastructure Controls

These controls are overall controls governing the organization's information technology infrastructure. The following starter checklist can be extended considerably: