Audit and Control Checklist
A comprehensive checklist is essential for information security audits and controls. The following links show you various checklists that you can use to monitor, audit and control the technical as well as management aspects of your security:
The checklist is extracted from the book ("Information Security and Auditing in the Digital Age", A. Umar, NGE Solutions, 2004). It can be customized and expanded/reduced to take into account the following factors: type of company, size of company, specialized situations such as international trade. The checklist is written so that it can be filled out by an auditor. For each item, the answer may be yes, no, or some explanation (e.g., not needed, covered by another category, etc). After reviewing this checklist as part of an audit, the auditor would prepare a risk assessment report to highlight the main risk and suggest future steps.
Color coding
The segments in Customized Checklist are color coded to represent the following:
- If the segment is "Black", no change needed to this segment
- If the segment is "Blue", you can reduce this segment or even remove it according to your requirement
- If the segment is "Red", you may need to expand this segment according to your requirements
Application Controls
Application controls concentrate on individual (usually sensitive and critical) applications and encompass the whole sequence of application processing.
Application Access Controls
Objective is to prevent un-authorized access to information held in application systems.
- Access controls are in place to ensure users are restricted to Read, Write, Execute, Delete based on the organizational information access policy _____________
- Organization has a dedicated (isolated) computing environment for highly sensitive systems _________________________
Exchanges of Information and Software
Objective is to prevent loss, modification or misuse of information exchanged between organizations.
- Information and software exchange agreements verified before exchange of critical information and software between organizations _______________
- E-commerce security in place to protect from threats such as fraudulent activity, contract dispute, and disclosure or modification of information _____________
- Security of sensitive electronic mail is enforced through packages such as PGP, MIME, or others _______
- Security of electronic office systems (e.g., word documents) is enforced through guidelines, policies, and technologies _______
- Publicly available systems are protected through policies and technologies _______
- Security of media in transit is enforced through:
- Reliable transport/courier company used ___________________
- Packaging to protect the contents from physical damage _____________
- Special controls to protect sensitive information (i.e., use of locked containers, delivery by hand, tamper evidence packaging, splitting of the consignment to take different routes, use of digital signature and confidential encryption) _____________
Input, Output and Processing Controls in Application Systems
Objective is to prevent loss, modification or misuse of user data in application systems.
- Data validation (input edit) is in place to ensure that data input is correct and appropriate before processing ________
- Validation checks are incorporated into systems to detect corruption by processing errors or through deliberate acts _______________
- Authorization controls are in place to verify the authority of input providers _______
- Data conversion controls are in place to minimize conversion errors as data is transcribed from one form to another __________
- Checks and controls are in place to reconcile data file balances after transaction updates and software download/upload _________________
- Application processing controls are in place to include the following:
- Matching controls that compare the input data with information held on system files. _______________
- Processing edits to verify for reasonableness or consistency during processing of applications__________
- Control totals during processing to reconcile the input control totals with the totals of items processed _______________
- Data produced by an application system is validated to ensure the processing of stored information is correct. This validation may include:
- Checks to test whether the output data is reasonable ____________________
- Reconciliation control counts to ensure processing of all data ________________
- Providing sufficient information for a reader or subsequent processing system to determine the accuracy and completeness of the information _____________
- Procedures for responding to output validation tests _________________
- Identifying the personnel involved in the data output process ____________
- Periodic synching and checking of outputs is done with actuals _______________
- Message authentication is implemented in hardware or software for sensitive message exchanges ________________
- Message authentication is required where needed _____________________
Controls for XML-based Applications
This is a new area of work in which the XML document itself but also the DTD are also properly controlled.
- Sensitive XML documents are encrypted by using XML Encryption, XML Signatures or other suitable schemes _______________
- DTDs of sensitive XML documents are properly controlled so that only authorized personnel can update them ___________
Application and Shared Data Security Controls
- Additional sets of passwords and security restrictions are in place for sensitive applications __________
- Additional sets of passwords and security restrictions are in place for sensitive applications __________
- Security profiles have been created to allow different people different access (e.g., online users, medical record processing, etc) ___________:
- These profiles are established and maintained by a data security system __________.
Controls on Mobile and Web Services Applications
The objective is to properly control the mobile client, Web tier, and the back-end transaction control issues for mobile applications.
- Mobile clients are authenticated before they can invoke applications ___________
- Security checks are done at the wireless gateway (e.g., WAP Gateway) __________
- Transactions have proper controls for remote invocations _________________
- Proper controls for Web Services applications are in place:
- Services defined with WSDL have been properly checked ______
- Services advertised through UDDI are properly checked __________
Server Platforms Controls
Overview
Most organizations at present have servers that are dispersed to different organizational units. Some of these servers are used for departmental or regional computing. For example, a regional office in Atlanta may have a server that handles all the applications and databases at Atlanta. Some servers are used for specialized purposes such as email servers, portal servers, database servers, etc. Although the overall administrative controls discussed previously apply to these servers, the following checklists are intended to assure that these servers are also under proper controls. Some checklists will appear to be redundant with previous lists but they have a different purpose controls on servers and their compliance to the corporate standards and policies. This is a general procedure that can be and should be customized for different types of server platforms such as Windows NT, XP, 200x, Linux, Unix, and others.
Server Security Administration
- Someone is responsible for operating system administration and maintenance for the platforms ______________
- Administrators are made aware of system standards and Information Security Standards ______________
- System and security administration procedures have been formally documented and up-to-date ____________________
- The following standards are being followed:
- A standard naming convention is being used _____________________
- Each user is assigned a unique user id ____________________________.
- Group IDs and shared/generic account should not be used __________________.
- The system has been configured to authenticate all users through a valid ID and password
- Procedures are in place to review server configuration using commercially available tools _________
- Procedures are in place to ensure that system level accounts are disabled and/or removed for terminated employees ___________________
- Procedures are in place to ensure that user system access rights are appropriately modified for transferred employees __________________
- Human Resources department provides security administration personnel with periodic reports of terminated and transferred employees ________________
- Global password rules have been established by setting appropriate account policies. Examples of the rules are:
- Minimum Password Age (allow changes in 1 day)
- Maximum Password Age(60 days)
- Minimum password length (6 characters)
- Account Lockout (allow 3 bad attempts)
- Account Lockout (reset count in 1440 minutes)
- Lockout Duration (Forever)
- Password History (Remember 3 passwords)
Monitoring System Access and Use
Objective is to detect unauthorized activities.
- Audit logs of event logging is being kept for an agreed period ______________
- Audit logs contain User Id's. dates & times for logon, logoff, terminal identification or location if possible, records of successful and rejected systems, data, and other resource access attempts ________________
- Procedures are set for monitoring the use of information processing facilities ______
- Results of the monitoring are reviewed regularly to assess risk factors ___________
- System clocks are reviewed to ensure accuracy (correct setting of computer clocks is important to ensure the accuracy of audit logs) _____________________
Operating System Access Controls
Objective is to prevent unauthorized computer access.
- Automatic terminal identification in place to authenticate connections to specific locations and to portable equipment _______________________
- Logon procedure not display system or application identification until logon successfully completed ___________________
- A general notice is displayed that the computer should only be accessed by authorized users __________________________
- Number of unsuccessful logon attempts is limited to 3 _______________
- Unsuccessful attempts are recorded rigorously _______________________
- The password management system:
- Enforces the use of individual passwords to maintain accountability ___________
- Allow users to select and change their own passwords _______________
- Enforces a choice of quality passwords ___________________
- Enforces password changes periodically (e.g., passwords expire once a month or twice a year) ___________
- Stores password files separately to application system data _______________
- Stores passwords in encrypted form ________________________
- Alters default vendor passwords following installation of software ____________
User Accounts
- Guest account has been disabled ___________________
- Administrator account has been renamed to stop intruders from accessing this account ________
- Strong password has been set for the administrator accounts _____________
- Administrator has his unique account assigned to only him, and not shared by other administrators __________________
- Logon scripts are secured with restricted access permission ________________
- User is required to change the password at the time of initial logon ______________
- Length of time restrictions are placed on system accounts provided to contractors and temporary workers ____________________
Groups
- A structure exists to group user IDs by department or job functions in order to be efficiently administered by security _______________________________
- The rights have been assigned to the global groups and the group membership and privileges are appropriate _______________________
- The rights have been assigned to the local groups. Verify that group membership and privileges are appropriate _______________________
- There is a business purpose for each global group _____________________
- There is a business purpose for each local group _________________________
- The number of users with privileged access is limited ____________________
User Rights
- Standard user access rights (read, write, execute) specified _________
- Any user given rights outside standard require special authorization _________
- Periodic review of user access rights in place to ensure that access rights remain commensurate with user job responsibilities ________________
- Audit software is used as part of the regular reviews _____________
System Registry Security
- File and directory permissions are appropriate for groups with access _______
- Permissions set for the critical Registry keys are configured to recommended standards __________
Operating System Configuration
- Formal procedures are in place over the installation of new servers to ensure the consistency of operating system configuration settings throughout the processing environment ______________
- Formal standards and procedures are in place over the implementation of operating system upgrades _____________
- Operating system installations/upgrades are thoroughly tested and hardened before being loaded into the production environment ___________
- Fallback procedures are in place for operating system upgrades ______________
- Controls are in place to ensure that operating system security configuration changes are authorized and approved ___________________
- Records are maintained to document all modifications and fixes to operating system security ___________________
- Secure passwords for predefined system accounts (i.e., Administrator, Guest, etc.) are assigned immediately upon installation or upgrade _____________
- Powerful system utilities that assist system administrators (i.e., disk management, system registry editing, etc) are appropriately restricted to authorized system personnel only _____________
- Appropriate trust relationships have been established based on corporate standards __________
- Formal standards and procedures exist over the configuration of security at the directory and file level ____________
- Key system directories are secured __________________
- Access to key system directories is restricted to system administration personnel _____________
- Permissions assigned to shared resources within the environment have been restricted _______________
File and Directory Protection
- Critical production application directories, subdirectories, and files have been identified _________
- Critical directory and file permissions are set based on corporate standards ___________
- Users are not granted access to modify key system programs _____________
Monitoring/Auditing/Reporting
- Systems have been configured to log audit events such as:
- Log-on and log-off activity (failure) ________
- Security policy changes (failure) __________
- Restart and Shutdown (failure) ___________
- System audit log files are secured __________
- Audit logs are backed up on a regular basis _______
- Audit logs are reviewed by appropriate security/system administration personnel on a regular basis __________________
- Escalation procedures are in place to ensure that detected security events are appropriately investigated in a timely manner __________________
- Reports are produced to evaluate trends in the audit log information ______________
- Procedures established to prevent, detect, and recover from computer viruses _________
- Invalid attempts to exercise administrative rights are tracked _______________
Server Backup Recovery
- Backup and recovery procedures are in place _________________
Server Physical Security
- Critical servers are physically secured from unauthorized access.