View
286
Download
5
Category
Preview:
Citation preview
7/23/2019 IT Audit Checklist
http://slidepdf.com/reader/full/it-audit-checklist 1/40
Information Security ManagementTable of Contents
Security Policy............................................................................................................................................................................................4
Information security policy......................................................................................................................................................................4
Organization of information security......................................................................................................................................................5
Internal Organization...............................................................................................................................................................................5
External Parties........................................................................................................................................................................................5
Asset Management.....................................................................................................................................................................................5
Responsibility for assets..........................................................................................................................................................................5Information classification........................................................................................................................................................................5
Human resources security.........................................................................................................................................................................5
Prior to employment................................................................................................................................................................................5
During employment.................................................................................................................................................................................5Termination or cange of employment....................................................................................................................................................5
Physical and Environmental Security...................................................................................................... ............................................. ...5
!ecure "reas............................................................................................................................................................................................5
E#uipment !ecurity.................................................................................................................................................................................5
ommunications and O!erations Management.....................................................................................................................................5
Operational Proce$ures an$ responsibilities............................................................................... ......................................................... ....5Tir$ party ser%ice $eli%ery management...............................................................................................................................................5!ystem planning an$ acceptance.............................................................................................................................................................5
Protection against malicious an$ mobile co$e................................................................................................................... ......................5&ac'up.....................................................................................................................................................................................................5
(et)or' !ecurity *anagement..................................................................................... ......................................................... ........... ......5
*e$ia an$ling........................................................................................................................................................................................5Excange of Information.........................................................................................................................................................................5
7/23/2019 IT Audit Checklist
http://slidepdf.com/reader/full/it-audit-checklist 2/40
Audit hec"list #$%&'%'$&5
Electronic Commerce !er%ices................................................................................................................................................................5
*onitoring...............................................................................................................................................................................................5
Access ontrol............................................................................................................................................................................................5
&usiness Re#uirement for "ccess Control..............................................................................................................................................5+ser "ccess *anagement........................................................................................................................................................................5+ser Responsibilities...............................................................................................................................................................................5
(et)or' "ccess Control..................................................................... ........................................................................ ..................... ........5Operating system access control..............................................................................................................................................................5
"pplication an$ Information "ccess Control..........................................................................................................................................5
*obile Computing an$ tele)or'ing........................................................................................................................................................5Information systems ac(uisition) develo!ment and maintenance........................................................................................................ .5
!ecurity re#uirements of information systems........................................................................................................................................5Correct processing in applications...........................................................................................................................................................5
Cryptograpic controls............................................................................................................................................................................5!ecurity of system files............................................................................................................................................................................5
!ecurity in $e%elopment an$ support processes......................................................................................................................................5
Tecnical ,ulnerability *anagement.................................................................................... ...................................................... ........... .5Information security incident management............................................................................................................................................5
Reporting information security e%ents an$ )ea'nesses................................................................................................ ................ ..........5*anagement of information security inci$ents an$ impro%ements........................................................................................................5
*usiness ontinuity Management............................................................................................................................................................5
Information security aspects of business continuity management..........................................................................................................5om!liance.................................................................................................................................................................................................5
Compliance )it legal re#uirements.......................................................................................................................................................5Compliance )it security policies an$ stan$ar$s- an$ tecnical compliance.................................................................. .......... ........... ..5
Information !ystems au$it consi$erations...............................................................................................................................................5
+eferences...................................................................................................................................................................................................5
Page /
7/23/2019 IT Audit Checklist
http://slidepdf.com/reader/full/it-audit-checklist 3/40
Audit hec"list #$%&'%'$&5
Information !ecurity *anagement "u$it Cec' 0ist
"u$itor (ame122222222222222222222222222 "u$it Date1222222222222222222222222222
Information Security Management Audit hec" ,ist
+eference Audit area) o-ective and (uestion +esults
hec"list Standard Section Audit /uestion 0indings om!liance
Security Policy3.3 5.3
Information security policy
3.3.3 5.3.3Information
security !olicy
document
eter tere exists an Information security policy-)ic is appro%e$ by te management- publise$ an$communicate$ as appropriate to all employees.
eter te policy states management commitmentan$ sets out te organizational approac to managinginformation security.
3.3./ 5.3./ +evie1 of
Informational
Security Policy
eter te Information !ecurity Policy is re%ie)e$ at planne$ inter%als- or if significant canges occur toensure its continuing suitability- a$e#uacy an$effecti%eness.
eter te Information !ecurity policy as an o)ner-)o as appro%e$ management responsibility for$e%elopment- re%ie) an$ e%aluation of te security
policy.
Page
7/23/2019 IT Audit Checklist
http://slidepdf.com/reader/full/it-audit-checklist 4/40
Audit hec"list #$%&'%'$&5
Information Security Management Audit hec" ,ist
+eference Audit area) o-ective and (uestion +esults
hec"list Standard Section Audit /uestion 0indings om!liance
eter any $efine$ Information !ecurity Policy
re%ie) proce$ures exist an$ $o tey inclu$ere#uirements for te management re%ie).
eter te results of te management re%ie) areta'en into account.
eter management appro%al is obtaine$ for tere%ise$ policy.
Organization of information security/.3 6.3
Internal Organization
/.3.3 6.3.3Management
commitment to
information
security
eter management $emonstrates acti%e support forsecurity measures )itin te organization. Tis can be$one %ia clear $irection- $emonstrate$ commitment-explicit assignment an$ ac'no)le$gement ofinformation security responsibilities.
/.3./ 6.3./Information
security
coordination
eter information security acti%ities are coor$inate$ by representati%es from $i%erse parts of teorganization- )it pertinent roles an$ responsibilities.
/.3. 6.3.Allocation of
information
eter responsibilities for te protection ofin$i%i$ual assets- an$ for carrying out specific security
processes- )ere clearly i$entifie$ an$ $efine$.
Page 4
7/23/2019 IT Audit Checklist
http://slidepdf.com/reader/full/it-audit-checklist 5/40
Audit hec"list #$%&'%'$&5
Information Security Management Audit hec" ,ist
+eference Audit area) o-ective and (uestion +esults
hec"list Standard Section Audit /uestion 0indings om!liance
security
res!onsi-ilities
/.3.4 6.3.4Authorization
!rocess for
information
!rocessing
facilities
eter management autorization process is $efine$an$ implemente$ for any ne) information processingfacility )itin te organization.
/.3.5 6.3.5onfidentiality
agreements
eter te organization7s nee$ for Confi$entiality or (onDisclosure "greement 8(D"9 for protection ofinformation is clearly $efine$ an$ regularly re%ie)e$.
Does tis a$$ress te re#uirement to protect teconfi$ential information using legal enforceable terms
/.3.6 6.3.6ontact 1ith
authorities
eter tere exists a proce$ure tat $escribes )en-an$ by )om1 rele%ant autorities suc as 0a)enforcement- fire $epartment etc.- soul$ be contacte$-
an$ o) te inci$ent soul$ be reporte$.
/.3.: 6.3.:ontact 1ith
s!ecial interest
grou!s
eter appropriate contacts )it special interestgroups or oter specialist security forums- an$
professional associations are maintaine$.
/.3.; 6.3.;Inde!endent
eter te organization7s approac to managinginformation security- an$ its implementation- is
Page 5
7/23/2019 IT Audit Checklist
http://slidepdf.com/reader/full/it-audit-checklist 6/40
Audit hec"list #$%&'%'$&5
Information Security Management Audit hec" ,ist
+eference Audit area) o-ective and (uestion +esults
hec"list Standard Section Audit /uestion 0indings om!liance
revie1 of
information
security
re%ie)e$ in$epen$ently at planne$ inter%als- or )en
ma<or canges to security implementation occur.
/./ 6./
External Parties
/./.3 6./.3Identification
of ris"s related
to e2ternal
!arties
eter ris's to te organization7s information an$information processing facility- from a processin%ol%ing external party access- is i$entifie$ an$appropriate control measures implemente$ beforegranting access.
/././ 6././Addressing
security 1hen
dealing 1ith
customers
eter all i$entifie$ security re#uirements arefulfille$ before granting customer access to te
organization7s information or assets.
/./. 6./.Addressing
Security in
third !arty
agreements
eter te agreement )it tir$ parties- in%ol%ingaccessing- processing- communicating or managing teorganization7s information or information processingfacility- or intro$ucing pro$ucts or ser%ices toinformation processing facility- complies )it allappropriate security re#uirements.
Page 6
7/23/2019 IT Audit Checklist
http://slidepdf.com/reader/full/it-audit-checklist 7/40
Audit hec"list #$%&'%'$&5
Information Security Management Audit hec" ,ist
+eference Audit area) o-ective and (uestion +esults
hec"list Standard Section Audit /uestion 0indings om!liance
Asset Management.3 :.3
Responsibility for assets
.3.3 :.3.3Inventory of
assets
eter all assets are i$entifie$ an$ an in%entory orregister is maintaine$ )it all te important assets.
.3./ :.3./O1nershi! of
assets
eter eac asset i$entifie$ as an o)ner- a $efine$an$ agree$upon security classification- an$ accessrestrictions tat are perio$ically re%ie)e$.
.3. :.3.Acce!ta-le use
of assets
eter regulations for acceptable use of informationan$ assets associate$ )it an information processingfacility )ere i$entifie$- $ocumente$ an$ implemente$.
./ :./
Information classification
./.3 :./.3
lassificationguidelines
eter te information is classifie$ in terms of its
%alue- legal re#uirements- sensiti%ity an$ criticality tote organization.
././ :././Information
la-elling and
handling
eter an appropriate set of proce$ures are $efine$
for information labelling an$ an$ling- in accor$ance)it te classification sceme a$opte$ by te
organization.
Page :
7/23/2019 IT Audit Checklist
http://slidepdf.com/reader/full/it-audit-checklist 8/40
Audit hec"list #$%&'%'$&5
Information Security Management Audit hec" ,ist
+eference Audit area) o-ective and (uestion +esults
hec"list Standard Section Audit /uestion 0indings om!liance
Human resources security4.3 ;.3
Prior to employment
4.3.3 ;.3.3+oles and
res!onsi-ilities
eter employee security roles an$ responsibilities-contractors an$ tir$ party users )ere $efine$ an$$ocumente$ in accor$ance )it te organization7sinformation security policy.
ere te roles an$ responsibilities $efine$ an$ clearly
communicate$ to <ob can$i$ates $uring te preemployment process
4.3./ ;.3./Screening
eter bac'groun$ %erification cec's for allcan$i$ates for employment- contractors- an$ tir$ party
users )ere carrie$ out in accor$ance to te rele%antregulations.
Does te cec' inclu$e caracter reference-confirmation of claime$ aca$emic an$ professional
#ualifications an$ in$epen$ent i$entity cec's
4.3. ;.3.3erms and
conditions of
em!loyment
eter employee- contractors an$ tir$ party usersare as'e$ to sign confi$entiality or non$isclosureagreement as a part of teir initial terms an$ con$itionsof te employment contract.
eter tis agreement co%ers te informationsecurity responsibility of te organization an$ te
Page ;
7/23/2019 IT Audit Checklist
http://slidepdf.com/reader/full/it-audit-checklist 9/40
Audit hec"list #$%&'%'$&5
Information Security Management Audit hec" ,ist
+eference Audit area) o-ective and (uestion +esults
hec"list Standard Section Audit /uestion 0indings om!liance
employee- tir$ party users an$ contractors.
4./ ;./
During employment
4./.3 ;./.3Management
res!onsi-ilities
eter te management re#uires employees-contractors an$ tir$ party users to apply security inaccor$ance )it te establise$ policies an$
proce$ures of te organization.
4././ ;././ Information
security
a1areness)
education and
training
eter all employees in te organization- an$ )ererele%ant- contractors an$ tir$ party users- recei%eappropriate security a)areness training an$ regularup$ates in organizational policies an$ proce$ures as it
pertains to teir <ob function.
4./. ;./.isci!linary
!rocess
eter tere is a formal $isciplinary process for teemployees )o a%e committe$ a security breac.
4. ;.
Termination or change of employment
4..3 ;..33ermination
res!onsi-ilities
eter responsibilities for performing employmenttermination- or cange of employment- are clearly$efine$ an$ assigne$.
4../ ;../+eturn of
eter tere is a process in place tat ensures all
employees- contractors an$ tir$ party users surren$erall of te organization7s assets in teir possession upon
Page =
7/23/2019 IT Audit Checklist
http://slidepdf.com/reader/full/it-audit-checklist 10/40
Audit hec"list #$%&'%'$&5
Information Security Management Audit hec" ,ist
+eference Audit area) o-ective and (uestion +esults
hec"list Standard Section Audit /uestion 0indings om!liance
assetstermination of teir employment- contract or
agreement.
4.. ;..+emoval of
access rights
eter access rigts of all employees- contractors
an$ tir$ party users- to information an$ information processing facilities- )ill be remo%e$ upon termination
of teir employment- contract or agreement- or )ill bea$<uste$ upon cange.
Physical and Environmental Security5.3 =.3
Secure Areas
5.3.3 =.3.3Physical
Security
Perimeter
eter a pysical bor$er security facility as beenimplemente$ to protect te information processingser%ice.
!ome examples of suc security facilities are car$
control entry gates- )alls- manne$ reception- etc.
5.3./ =.3./Physical entry
ontrols
eter entry controls are in place to allo) only
autorize$ personnel into %arious areas )itin teorganization.
5.3. =.3.Securing
Offices) rooms
and facilities
eter te rooms- )ic a%e te information processing ser%ice- are loc'e$ or a%e loc'ablecabinets or safes.
Page 3>
7/23/2019 IT Audit Checklist
http://slidepdf.com/reader/full/it-audit-checklist 11/40
Audit hec"list #$%&'%'$&5
Information Security Management Audit hec" ,ist
+eference Audit area) o-ective and (uestion +esults
hec"list Standard Section Audit /uestion 0indings om!liance
5.3.4 =.3.4Protecting
against
e2ternal and
environmental
threats
eter te pysical protection against $amage from
fire- floo$- eart#ua'e- explosion- ci%il unrest an$ oter forms of natural or manma$e $isaster soul$ be
$esigne$ an$ applie$.
eter tere is any potential treat fromneigbouring premises.
5.3.5 =.3.5or"ing in
Secure Areas
eter pysical protection an$ gui$elines for)or'ing in secure areas is $esigne$ an$ implemente$.
5.3.6 =.3.6Pu-lic access
delivery and
loading areas
eter te $eli%ery- loa$ing- an$ oter areas )ereunautorize$ persons may enter te premises are
controlle$- an$ information processing facilities areisolate$- to a%oi$ unautorize$ access.
5./ =./
Equipment Security
5./.3 =./.3E(ui!ment
siting
!rotection
eter te e#uipment is protecte$ to re$uce te ris'sfrom en%ironmental treats an$ azar$s- an$opportunities for unautorize$ access.
5././ =././Su!!orting
eter te e#uipment is protecte$ from po)erfailures an$ oter $isruptions cause$ by failures in
Page 33
7/23/2019 IT Audit Checklist
http://slidepdf.com/reader/full/it-audit-checklist 12/40
Audit hec"list #$%&'%'$&5
Information Security Management Audit hec" ,ist
+eference Audit area) o-ective and (uestion +esults
hec"list Standard Section Audit /uestion 0indings om!liance
utilitiessupporting utilities.
eter permanence of po)er supplies- suc as amultiple fee$- an +ninterruptible Po)er !upply 8ups9-a bac'up generator- etc. are being utilize$.
5./. =./.a-ling
Security
eter te po)er an$ telecommunications cable-carrying $ata or supporting information ser%ices- is
protecte$ from interception or $amage.
eter tere are any a$$itional security controls in place for sensiti%e or critical information.
5./.4 =./.4E(ui!ment
Maintenance
eter te e#uipment is correctly maintaine$ toensure its continue$ a%ailability an$ integrity.
eter te e#uipment is maintaine$- as per tesupplier7s recommen$e$ ser%ice inter%als an$specifications.
eter te maintenance is carrie$ out only byautorize$ personnel.
eter logs are maintaine$ )it all suspecte$ oractual faults an$ all pre%enti%e an$ correcti%e
measures.
eter appropriate controls are implemente$ )ile
sen$ing e#uipment off premises.
"re te e#uipment co%ere$ by insurance an$ te
insurance re#uirements satisfie$
Page 3/
7/23/2019 IT Audit Checklist
http://slidepdf.com/reader/full/it-audit-checklist 13/40
Audit hec"list #$%&'%'$&5
Information Security Management Audit hec" ,ist
+eference Audit area) o-ective and (uestion +esults
hec"list Standard Section Audit /uestion 0indings om!liance
5./.5 =./.5Securing of
e(ui!ment off6
!remises
eter ris's )ere assesse$ )it regar$s to any
e#uipment usage outsi$e an organization7s premises-an$ mitigation controls implemente$.
eter te usage of an information processingfacility outsi$e te organization as been autorize$ byte management.
5./.6 =./.6Secure dis!osal
or re6use ofe(ui!ment
eter all e#uipment- containing storage me$ia- iscec'e$ to ensure tat any sensiti%e information or
license$ soft)are is pysically $estroye$- or securelyo%er)ritten- prior to $isposal or reuse.
5./.: =./.:+emoval of
!ro!erty
eter any controls are in place so tat e#uipment-information an$ soft)are is not ta'en offsite )itout
prior autorization.
Communications and Operations Management6.3 3>.3
Operational Proceures an responsibilities
6.3.3 3>.3.3ocumented
O!erating
!rocedures
eter te operating proce$ure is $ocumente$-maintaine$ an$ a%ailable to all users )o nee$ it.
eter suc proce$ures are treate$ as formal$ocuments- an$ terefore any canges ma$e nee$management autorization.
Page 3
7/23/2019 IT Audit Checklist
http://slidepdf.com/reader/full/it-audit-checklist 14/40
Audit hec"list #$%&'%'$&5
Information Security Management Audit hec" ,ist
+eference Audit area) o-ective and (uestion +esults
hec"list Standard Section Audit /uestion 0indings om!liance
6.3./ 3>.3./hange
management
eter all canges to information processing
facilities an$ systems are controlle$.
6.3. 3>.3.Segregation of
duties
eter $uties an$ areas of responsibility areseparate$- in or$er to re$uce opportunities forunautorize$ mo$ification or misuse of information- or ser%ices.
6.3.4 3>.3.4 Se!aration of
develo!ment)
test and
o!erational
facilities
eter te $e%elopment an$ testing facilities areisolate$ from operational facilities. ?or example-$e%elopment an$ pro$uction soft)are soul$ be run on$ifferent computers. ere necessary- $e%elopmentan$ pro$uction net)or's soul$ be 'ept separate fromeac oter.
6./ 3>./
Thir party ser!ice eli!ery management
6./.3 3>./.3Service
delivery
eter measures are ta'en to ensure tat te securitycontrols- ser%ice $efinitions an$ $eli%ery le%els-
inclu$e$ in te tir$ party ser%ice $eli%ery agreement-are implemente$- operate$ an$ maintaine$ by a tir$
party.
6././ 3>././Monitoring
and revie1 of
third !arty
eter te ser%ices- reports an$ recor$s pro%i$e$ bytir$ party are regularly monitore$ an$ re%ie)e$.
eter au$ita are con$ucte$ on te abo%e tir$ party
Page 34
7/23/2019 IT Audit Checklist
http://slidepdf.com/reader/full/it-audit-checklist 15/40
Audit hec"list #$%&'%'$&5
Information Security Management Audit hec" ,ist
+eference Audit area) o-ective and (uestion +esults
hec"list Standard Section Audit /uestion 0indings om!liance
servicesser%ices- reports an$ recor$s- on regular inter%al.
6./. 3>./.Managing
changes to
third !arty
services
eter canges to pro%ision of ser%ices- inclu$ingmaintaining an$ impro%ing existing informationsecurity policies- proce$ures an$ controls- aremanage$.
Does tis ta'e into account criticality of businesssystems- processes in%ol%e$ an$ reassessment of ris's
6. 3>.
System planning an acceptance
6..3 3>..3a!acity
Management
eter te capacity $eman$s are monitore$ an$ pro<ections of future capacity re#uirements are ma$e-to ensure tat a$e#uate processing po)er an$ storageare a%ailable.
Example1 *onitoring ar$ $is' space- R"* an$ CP+on critical ser%ers.
6../ 3>../
Systemacce!tance
eter system acceptance criteria are establise$ for
ne) information systems- upgra$es an$ ne) %ersions.
eter suitable tests )ere carrie$ out prior toacceptance.
6.4 3>.4
Protection against malicious an mobile coe
Page 35
7/23/2019 IT Audit Checklist
http://slidepdf.com/reader/full/it-audit-checklist 16/40
Audit hec"list #$%&'%'$&5
Information Security Management Audit hec" ,ist
+eference Audit area) o-ective and (uestion +esults
hec"list Standard Section Audit /uestion 0indings om!liance
6.4.3 3>.4.3ontrols
against
malicious code
eter $etection- pre%ention an$ reco%ery controls-
to protect against malicious co$e an$ appropriate usera)areness proce$ures- )ere $e%elope$ an$
implemente$.
6.4./ 3>.4./ontrols
against mo-ile
code
eter only autorize$ mobile co$e is use$.
eter te configuration ensures tat autorize$mobile co$e operates accor$ing to security policy.
eter execution of unautorize$ mobile co$e is pre%ente$.
8*obile co$e is soft)are co$e tat transfers from onecomputer to anoter computer an$ ten executesautomatically. It performs a specific function )itlittle or no user inter%ention. *obile co$e is associate$)it a number of mi$$le)are ser%ices.9
6.5 3>.5
"ac#up
6.5.3 3>.5.3
Information-ac"u!
eter bac'ups of information an$ soft)are is ta'en
an$ teste$ regularly in accor$ance )it te agree$ bac'up policy.
eter all essential information an$ soft)are can bereco%ere$ follo)ing a $isaster or me$ia failure.
6.6 3>.6
$et%or# Security &anagement
Page 36
7/23/2019 IT Audit Checklist
http://slidepdf.com/reader/full/it-audit-checklist 17/40
Audit hec"list #$%&'%'$&5
Information Security Management Audit hec" ,ist
+eference Audit area) o-ective and (uestion +esults
hec"list Standard Section Audit /uestion 0indings om!liance
6.6.3 3>.6.37et1or"
ontrols
eter te net)or' is a$e#uately manage$ an$
controlle$- to protect from treats- an$ to maintainsecurity for te systems an$ applications using te
net)or'- inclu$ing te information in transit.
eter controls )ere implemente$ to ensure te
security of te information in net)or's- an$ te protection of te connecte$ ser%ices from treats- suc
as unautorize$ access.
6.6./ 3>.6./Security of
net1or"
services
eter security features- ser%ice le%els an$management re#uirements- of all net)or' ser%ices- arei$entifie$ an$ inclu$e$ in any net)or' ser%ices
agreement.
eter te ability of te net)or' ser%ice pro%i$er- tomanage agree$ ser%ices in a secure )ay- is $etermine$an$ regularly monitore$- an$ te rigt to au$it isagree$ upon.
6.: 3>.:
&eia hanling
6.:.3 3>.:.3Management
of remova-le
media
eter proce$ures exist for management of
remo%able me$ia- suc as tapes- $is's- cassettes-memory car$s- an$ reports.
eter all proce$ures an$ autorization le%els areclearly $efine$ an$ $ocumente$.
Page 3:
7/23/2019 IT Audit Checklist
http://slidepdf.com/reader/full/it-audit-checklist 18/40
Audit hec"list #$%&'%'$&5
Information Security Management Audit hec" ,ist
+eference Audit area) o-ective and (uestion +esults
hec"list Standard Section Audit /uestion 0indings om!liance
6.:./ 3>.:./is!osal of
Media
eter te me$ia tat are no longer re#uire$ are
$ispose$ of securely an$ safely- as per formal proce$ures.
6.:. 3>.:.Information
handling
!rocedures
eter a proce$ure exists for an$ling informationstorage.
Does tis proce$ure a$$ress issues- suc asinformation protection- from unautorize$ $isclosureor misuse
6.:.4 3>.:.4Security of
system
documentation
eter te system $ocumentation is protecte$ againstunautorize$ access.
6.; 3>.;
Exchange of Information
6.;.3 3>.;.3Information
e2change
!olicies and!rocedures
eter tere is a formal excange policy- proce$ure
an$ control in place to ensure te protection ofinformation.
Does te proce$ure an$ control co%er using electroniccommunication facilities for information excange.
6.;./ 3>.;./E2change
agreements
eter agreements are establise$ concerningexcange of information an$ soft)are bet)een te
organization an$ external parties.
eter te security content of te agreement reflects
Page 3;
7/23/2019 IT Audit Checklist
http://slidepdf.com/reader/full/it-audit-checklist 19/40
Audit hec"list #$%&'%'$&5
Information Security Management Audit hec" ,ist
+eference Audit area) o-ective and (uestion +esults
hec"list Standard Section Audit /uestion 0indings om!liance
te sensiti%ity of te business information in%ol%e$.
6.;. 3>.;.Physical Media
in transit
eter me$ia containing information is protecte$against unautorize$ access- misuse or corruption
$uring transportation beyon$ te organization7s pysical boun$ary.
6.;.4 3>.;.4Electronic
Messaging
eter te information in%ol%e$ in electronicmessaging is )ell protecte$.
8Electronic messaging inclu$es but is not restricte$ toEmail- Electronic Data Intercange- Instant *essaging9
6.;.5 3>.;.5*usiness
information
systems
eter policies an$ proce$ures are $e%elope$ an$enforce$ to protect information associate$ )it te
interconnection of business information systems.
6.= 3>.=
Electronic 'ommerce Ser!ices
6.=.3 3>.=.3Electronic
ommerce
eter te information in%ol%e$ in electroniccommerce passing o%er te public net)or' is protecte$
from frau$ulent acti%ity- contract $ispute- an$ anyunautorize$ access or mo$ification.
eter !ecurity control suc as application ofcryptograpic controls are ta'en into consi$eration.
eter electronic commerce arrangements bet)eentra$ing partners inclu$e a $ocumente$ agreement-)ic commits bot parties to te agree$ terms of
Page 3=
7/23/2019 IT Audit Checklist
http://slidepdf.com/reader/full/it-audit-checklist 20/40
Audit hec"list #$%&'%'$&5
Information Security Management Audit hec" ,ist
+eference Audit area) o-ective and (uestion +esults
hec"list Standard Section Audit /uestion 0indings om!liance
tra$ing- inclu$ing $etails of security issues.
6.=./ 3>.=./On6,ine
3ransactions
eter information in%ol%e$ in online transactions is protecte$ to pre%ent incomplete transmission- mis
routing- unautorize$ message alteration- unautorize$$isclosure- unautorize$ message $uplication or replay.
6.=. 3>.=.Pu-licly
availa-le
information
eter te integrity of te publicly a%ailableinformation is protecte$ against any unautorize$
mo$ification.
6.3> 3>.3>
&onitoring
6.3>.3 3>.3>.3Audit logging
eter au$it logs recor$ing user acti%ities-exceptions- an$ information security e%ents are
pro$uce$ an$ 'ept for an agree$ perio$ to assist infuture in%estigations an$ access control monitoring.
eter appropriate Pri%acy protection measures areconsi$ere$ in "u$it log maintenance.
6.3>./ 3>.3>./Monitoring
system use
eter proce$ures are $e%elope$ an$ enforce$ formonitoring system use for information processingfacility.
eter te results of te monitoring acti%ity re%ie)e$regularly.
eter te le%el of monitoring re#uire$ for in$i%i$ualinformation processing facility is $etermine$ by a ris'
Page />
7/23/2019 IT Audit Checklist
http://slidepdf.com/reader/full/it-audit-checklist 21/40
Audit hec"list #$%&'%'$&5
Information Security Management Audit hec" ,ist
+eference Audit area) o-ective and (uestion +esults
hec"list Standard Section Audit /uestion 0indings om!liance
assessment.
6.3>. 3>.3>.Protection of
log information
eter logging facility an$ log information are )ell protecte$ against tampering an$ unautorize$ access.
6.3>.4 3>.3>.4Administrator
and o!erator
logs
eter system a$ministrator an$ system operatoracti%ities are logge$.
eter te logge$ acti%ities are re%ie)e$ on regular basis.
6.3>.5 3>.3>.50ault logging
eter faults are logge$ analyse$ an$ appropriateaction ta'en.
eter le%el of logging re#uire$ for in$i%i$ualsystem are $etermine$ by a ris' assessment- ta'ing
performance $egra$ation into account.
6.3>.6 3>.3>.6loc"
synchronisatio
n
eter system cloc's of all information processingsystem )itin te organization or security $omain issyncronise$ )it an agree$ accurate time source.
8Te correct setting of computer cloc' is important toensure te accuracy of au$it logs9
Access Control:.3 33.3
"usiness Requirement for Access 'ontrol
Page /3
7/23/2019 IT Audit Checklist
http://slidepdf.com/reader/full/it-audit-checklist 22/40
Audit hec"list #$%&'%'$&5
Information Security Management Audit hec" ,ist
+eference Audit area) o-ective and (uestion +esults
hec"list Standard Section Audit /uestion 0indings om!liance
:.3.3 33.3.3Access ontrol
Policy
eter an access control policy is $e%elope$ an$
re%ie)e$ base$ on te business an$ securityre#uirements.
eter bot logical an$ pysical access control areta'en into consi$eration in te policy
eter te users an$ ser%ice pro%i$ers )ere gi%en aclear statement of te business re#uirement to be met
by access controls.
:./ 33./
(ser Access &anagement
:./.3 33./.38ser
+egistration
eter tere is any formal user registration an$ $eregistration proce$ure for granting access to all
information systems an$ ser%ices.
:././ 33././Privilege
Management
eter te allocation an$ use of any pri%ileges ininformation system en%ironment is restricte$ an$controlle$ i.e.- Pri%ileges are allocate$ on nee$touse
basis- pri%ileges are allocate$ only after formal
autorization process.:./. 33./.
8ser Pass1ord
Management
Te allocation an$ reallocation of pass)or$s soul$ becontrolle$ troug a formal management process.
eter te users are as'e$ to sign a statement to 'eep
te pass)or$ confi$ential.
Page //
7/23/2019 IT Audit Checklist
http://slidepdf.com/reader/full/it-audit-checklist 23/40
Audit hec"list #$%&'%'$&5
Information Security Management Audit hec" ,ist
+eference Audit area) o-ective and (uestion +esults
hec"list Standard Section Audit /uestion 0indings om!liance
:./.4 33./.4+evie1 of user
access rights
eter tere exists a process to re%ie) user access
rigts at regular inter%als. Example1 !pecial pri%ilegere%ie) e%ery monts- normal pri%ileges e%ery 6
mots.
:. 33.
(ser Responsibilities
:..3 33..3Pass1ord use
eter tere are any security practice in place togui$e users in selecting an$ maintaining secure
pass)or$s.
:../ 33../8nattended
user e(ui!ment
eter te users an$ contractors are ma$e a)are ofte security re#uirements an$ proce$ures for protectingunatten$e$ e#uipment. .
Example1 0ogoff )en session is finise$ or set up
auto log off- terminate sessions )en finise$ etc.-
:.. 33..lear des" and
clear screen
!olicy
eter te organisation as a$opte$ clear $es' policy
)it regar$s to papers an$ remo%able storage me$ia
eter te organisation as a$opte$ clear screen
policy )it regar$s to information processing facility
:.4 33.4
$et%or# Access 'ontrol
:.4.3 33.4.3Policy on use of
net1or"
eter users are pro%i$e$ )it access only to te
ser%ices tat tey a%e been specifically autorize$ touse.
Page /
7/23/2019 IT Audit Checklist
http://slidepdf.com/reader/full/it-audit-checklist 24/40
Audit hec"list #$%&'%'$&5
Information Security Management Audit hec" ,ist
+eference Audit area) o-ective and (uestion +esults
hec"list Standard Section Audit /uestion 0indings om!liance
serviceseter tere exists a policy tat $oes a$$ress
concerns relating to net)or's an$ net)or' ser%ices.
:.4./ 33.4./8ser
authentication
for e2ternal
connections
eter appropriate autentication mecanism is use$
to control access by remote users.
:.4. 33.4.E(ui!mentidentification
in net1or"s
eter automatic e#uipment i$entification is
consi$ere$ as a means to autenticate connections fromspecific locations an$ e#uipment.
:.4.4 33.4.4+emote
diagnostic and
configuration
!ort !rotection
eter pysical an$ logical access to $iagnostic portsare securely controlle$ i.e.- protecte$ by a security
mecanism.
:.4.5 33.4.5
Segregation innet1or"s
eter groups of information ser%ices- users an$
information systems are segregate$ on net)or's.
eter te net)or' 8)ere business partner7s an$@ ortir$ parties nee$ access to information system9 is
segregate$ using perimeter security mecanisms sucas fire)alls.
eter consi$eration is ma$e to segregation of
Page /4
7/23/2019 IT Audit Checklist
http://slidepdf.com/reader/full/it-audit-checklist 25/40
Audit hec"list #$%&'%'$&5
Information Security Management Audit hec" ,ist
+eference Audit area) o-ective and (uestion +esults
hec"list Standard Section Audit /uestion 0indings om!liance
)ireless net)or's from internal an$ pri%ate net)or's.
:.4.6 33.4.67et1or"
connection
control
eter tere exists an access control policy )icstates net)or' connection control for sare$ net)or's-
especially for tose exten$ across organization7s boun$aries.
:.4.: 33.4.:7et1or"
routing control
eter te access control policy states routingcontrols are to be implemente$ for net)or's.
eter te routing controls are base$ on te positi%esource an$ $estination i$entification mecanism.
:.5 33.5
Operating system access control
:.5.3 33.5.3Secure log6on
!rocedures
eter access to operating system is controlle$ bysecure logon proce$ure.
:.5./ 33.5./
8seridentification
and
authentication
eter uni#ue i$entifier 8user ID9 is pro%i$e$ to
e%ery user suc as operators- system a$ministrators an$all oter staff inclu$ing tecnical.
eter suitable autentication tecni#ue is cosen tosubstantiate te claime$ i$entity of user.
eter generic user accounts are supplie$ only un$erexceptional circumstances )ere tere is a clear
business benefit. "$$itional controls may be necessary
Page /5
7/23/2019 IT Audit Checklist
http://slidepdf.com/reader/full/it-audit-checklist 26/40
Audit hec"list #$%&'%'$&5
Information Security Management Audit hec" ,ist
+eference Audit area) o-ective and (uestion +esults
hec"list Standard Section Audit /uestion 0indings om!liance
to maintain accountability.
:.5. 33.5.Pass1ord
management
system
eter tere exists a pass)or$ management systemtat enforces %arious pass)or$ controls suc as1
in$i%i$ual pass)or$ for accountability- enforce pass)or$ canges- store pass)or$s in encrypte$ form-
not $isplay pass)or$s on screen etc.-
:.5.4 33.5.48se of system
utilities
eter te utility programs tat migt be capable of
o%erri$ing system an$ application controls is restricte$
an$ tigtly controlle$.
:.5.5 33.5.5Session time6
out
eter inacti%e session is sut$o)n after a $efine$ perio$ of inacti%ity.
8" limite$ form of timeouts can be pro%i$e$ for somesystems- )ic clears te screen an$ pre%entsunautorize$ access but $oes not close $o)n teapplication or net)or' sessions.
:.5.6 33.5.6,imitation of
connectiontime
eter tere exists restriction on connection time forigris' applications. Tis type of set up soul$ beconsi$ere$ for sensiti%e applications for )ic teterminals are installe$ in igris' locations.
:.6 33.6
Application an Information Access 'ontrol
:.6.3 33.6.3Information
access
eter access to information an$ application systemfunctions by users an$ support personnel is restricte$
in accor$ance )it te $efine$ access control policy.
Page /6
7/23/2019 IT Audit Checklist
http://slidepdf.com/reader/full/it-audit-checklist 27/40
Audit hec"list #$%&'%'$&5
Information Security Management Audit hec" ,ist
+eference Audit area) o-ective and (uestion +esults
hec"list Standard Section Audit /uestion 0indings om!liance
restriction
:.6./ 33.6./Sensitive
system
isolation
eter sensiti%e systems are pro%i$e$ )it $e$icate$8isolate$9 computing en%ironment suc as running on a$e$icate$ computer- sare resources only )it truste$application systems- etc.-
:.: 33.:
&obile 'omputing an tele%or#ing
:.:.3 33.:.3Mo-ile
com!uting and
communication
s
eter a formal policy is in place- an$ appropriatesecurity measures are a$opte$ to protect against teris' of using mobile computing an$ communicationfacilities.
!ome example of *obile computing an$
communications facility inclu$e1 noteboo's- palmtops-laptops- smart car$s- mobile pones.
eter ris's suc as )or'ing in unprotecte$en%ironment is ta'en into account by *obilecomputing policy.
:.:./ 33.:./3ele1or"ing
eter policy- operational plan an$ proce$ures are
$e%elope$ an$ implemente$ for tele)or'ing acti%ities.
eter tele)or'ing acti%ity is autorize$ an$controlle$ by management an$ $oes it ensure tatsuitable arrangements are in place for tis )ay of)or'ing.
Page /:
7/23/2019 IT Audit Checklist
http://slidepdf.com/reader/full/it-audit-checklist 28/40
Audit hec"list #$%&'%'$&5
Information Security Management Audit hec" ,ist
+eference Audit area) o-ective and (uestion +esults
hec"list Standard Section Audit /uestion 0indings om!liance
Information systems acquisition development and maintenance;.3 3/.3
Security requirements of information systems
;.3.3 3/.3.3Security
re(uirements
analysis and
s!ecification
eter security re#uirements for ne) informationsystems an$ enancement to existing informationsystem specify te re#uirements for security controls.
eter te !ecurity re#uirements an$ controlsi$entifie$ reflects te business %alue of information
assets in%ol%e$ an$ te conse#uence from failure of!ecurity.
eter system re#uirements for information securityan$ processes for implementing security is integrate$
in te early stages of information system pro<ects.
;./ 3/./
'orrect processing in applications
;./.3 3/./.3
In!ut datavalidation
eter $ata input to application system is %ali$ate$
to ensure tat it is correct an$ appropriate.
eter te controls suc as1 Different types of inputs
to cec' for error messages- Proce$ures for respon$ingto %ali$ation errors- $efining responsibilities of all
personnel in%ol%e$ in $ata input process etc.- areconsi$ere$.
Page /;
7/23/2019 IT Audit Checklist
http://slidepdf.com/reader/full/it-audit-checklist 29/40
Audit hec"list #$%&'%'$&5
Information Security Management Audit hec" ,ist
+eference Audit area) o-ective and (uestion +esults
hec"list Standard Section Audit /uestion 0indings om!liance
;././ 3/././ontrol of
internal
!rocessing
eter %ali$ation cec's are incorporate$ into
applications to $etect any corruption of informationtroug processing errors or $eliberate acts.
eter te $esign an$ implementation of applicationsensure tat te ris's of processing failures lea$ing to aloss of integrity are minimise$.
;./. 3/./.Message
integrity
eter re#uirements for ensuring an$ protectingmessage integrity in applications are i$entifie$- an$
appropriate controls i$entifie$ an$ implemente$.eter an security ris' assessment )as carrie$ out to$etermine if message integrity is re#uire$- an$ toi$entify te most appropriate meto$ ofimplementation.
;./.4 3/./.4Out!ut data
validation
eter te $ata output of application system is%ali$ate$ to ensure tat te processing of store$information is correct an$ appropriate tocircumstances.
;. 3/.
'ryptographic controls
;..3 3/..3Policy on use of
cry!togra!hic
controls
eter te organization as Policy on use ofcryptograpic controls for protection of information. .
eter te policy is successfully implemente$.
Page /=
7/23/2019 IT Audit Checklist
http://slidepdf.com/reader/full/it-audit-checklist 30/40
Audit hec"list #$%&'%'$&5
Information Security Management Audit hec" ,ist
+eference Audit area) o-ective and (uestion +esults
hec"list Standard Section Audit /uestion 0indings om!liance
eter te cryptograpic policy $oes consi$er te
management approac to)ar$s te use ofcryptograpic controls- ris' assessment results to
i$entify re#uire$ le%el of protection- 'ey managementmeto$s an$ %arious stan$ar$s for effecti%e
implementation
;../ 3/../9ey
management
eter 'ey management is in place to support te
organizations use of cryptograpic tecni#ues.
eter cryptograpic 'eys are protecte$ againstmo$ification- loss- an$ $estruction.
eter secret 'eys an$ pri%ate 'eys are protecte$against unautorize$ $isclosure.
eter e#uipments use$ to generate- store 'eys are pysically protecte$.
eter te Aey management system is base$ onagree$ set of stan$ar$s- proce$ures an$ securemeto$s.
;.4 3/.4 Security of system files
;.4.3 3/.4.3ontrol of
o!erational
soft1are
eter tere are any proce$ures in place to controlinstallation of soft)are on operational systems. 8Tis isto minimise te ris' of corruption of operationalsystems.9
Page >
7/23/2019 IT Audit Checklist
http://slidepdf.com/reader/full/it-audit-checklist 31/40
Audit hec"list #$%&'%'$&5
Information Security Management Audit hec" ,ist
+eference Audit area) o-ective and (uestion +esults
hec"list Standard Section Audit /uestion 0indings om!liance
;.4./ 3/.4./Protection of
system test
data
eter system test $ata is protecte$ an$ controlle$.
eter use of personal information or any sensiti%einformation for testing operational $atabase is sunne$.
;.4. 3/.4.Access ontrol
to !rogram
source code
eter strict controls are in place to restrict access to program source libraries.
8Tis is to a%oi$ te potential for unautorize$-unintentional canges.9
;.5 3/.5
Security in e!elopment an support processes
;.5.3 3/.5.3hange control
!rocedures
eter tere is strict control proce$ure in place o%erimplementation of canges to te information system.8Tis is to minimise te corruption of informationsystem.9
eter tis proce$ure a$$resses nee$ for ris'assessment- analysis of impacts of canges-
;.5./ 3/.5./
3echnicalrevie1 of
a!!lications
after o!erating
system changes
eter tere is process or proce$ure in place to
re%ie) an$ test business critical applications fora$%erse impact on organizational operations or securityafter te cange to Operating !ystems.
Perio$ically it is necessary to upgra$e operating systemi.e.- to install ser%ice pac's- patces- ot fixes etc.-
Page 3
7/23/2019 IT Audit Checklist
http://slidepdf.com/reader/full/it-audit-checklist 32/40
Audit hec"list #$%&'%'$&5
Information Security Management Audit hec" ,ist
+eference Audit area) o-ective and (uestion +esults
hec"list Standard Section Audit /uestion 0indings om!liance
;.5. 3/.5.+estriction on
changes to
soft1are
!ac"ages
eter mo$ifications to soft)are pac'age is
$iscourage$ an$@ or limite$ to necessary canges.
eter all canges are strictly controlle$.
;.5.4 3/.5.4Information
lea"age
eter controls are in place to pre%ent informationlea'age.
eter controls suc as scanning of outboun$ me$ia-
regular monitoring of personnel an$ system acti%ities permitte$ un$er local legislation- monitoring resource
usage are consi$ere$.
;.5.5 3/.5.5Outsourced
soft1are
develo!ment
eter te outsource$ soft)are $e%elopment is
super%ise$ an$ monitore$ by te organization.
eter points suc as1 0icensing arrangements-
escro) arrangements- contractual re#uirement for#uality assurance- testing before installation to $etectTro<an co$e etc.- are consi$ere$.
;.6 3/.6 Technical )ulnerability &anagement
;.6.3 3/.6.3ontrol of
technical
vulnera-ilities
eter timely information about tecnical
%ulnerabilities of information systems being use$ isobtaine$.
eter te organization7s exposure to suc%ulnerabilities e%aluate$ an$ appropriate measures
Page /
7/23/2019 IT Audit Checklist
http://slidepdf.com/reader/full/it-audit-checklist 33/40
Audit hec"list #$%&'%'$&5
Information Security Management Audit hec" ,ist
+eference Audit area) o-ective and (uestion +esults
hec"list Standard Section Audit /uestion 0indings om!liance
ta'en to mitigate te associate$ ris'.
Information security incident management=.3 3.3
Reporting information security e!ents an %ea#nesses
=.3.3 3.3.3+e!orting
informationsecurity events
eter information security e%ents are reporte$troug appropriate management cannels as #uic'lyas possible.
eter formal information security e%ent reporting
proce$ure- Inci$ent response an$ escalation proce$ureis $e%elope$ an$ implemente$.
=.3./ 3.3./+e!orting
security
1ea"nesses
eter tere exists a proce$ure tat ensures allemployees of information systems an$ ser%ices are
re#uire$ to note an$ report any obser%e$ or suspecte$security )ea'ness in te system or ser%ices.
=./ 3./
&anagement of information security incients an impro!ements
=./.3 3./.3+es!onsi-ilitie
s and
!rocedures
eter management responsibilities an$ proce$ures
)ere establise$ to ensure #uic'- effecti%e an$ or$erlyresponse to information security inci$ents.
eter monitoring of systems- alerts an$%ulnerabilities are use$ to $etect information securityinci$ents.
Page
7/23/2019 IT Audit Checklist
http://slidepdf.com/reader/full/it-audit-checklist 34/40
Audit hec"list #$%&'%'$&5
Information Security Management Audit hec" ,ist
+eference Audit area) o-ective and (uestion +esults
hec"list Standard Section Audit /uestion 0indings om!liance
eter te ob<ecti%e of information security inci$ent
management is agree$ )it te management.
=././ 3././,earning from
information
security
incidents
eter tere is a mecanism in place to i$entify an$
#uantify te type- %olume an$ costs of informationsecurity inci$ents.
eter te information gaine$ from te e%aluation ofte past information security inci$ents are use$ toi$entify recurring or ig impact inci$ents.
=./. 3./.ollection of
evidence
eter follo)up action against a person ororganization after an information security inci$entin%ol%es legal action 8eiter ci%il or criminal9.
eter e%i$ence relating to te inci$ent are collecte$-retaine$ an$ presente$ to conform to te rules fore%i$ence lai$ $o)n in te rele%ant <uris$iction8s9.
eter internal proce$ures are $e%elope$ an$follo)e$ )en collecting an$ presenting e%i$ence forte purpose of $isciplinary action )itin teorganization.
!usiness Continuity Management3>.3 34.3
Information security aspects of business continuity management
3>.3.3 34.3.3Including
eter tere is a manage$ process in place tat
a$$resses te information security re#uirements for
Page 4
7/23/2019 IT Audit Checklist
http://slidepdf.com/reader/full/it-audit-checklist 35/40
Audit hec"list #$%&'%'$&5
Information Security Management Audit hec" ,ist
+eference Audit area) o-ective and (uestion +esults
hec"list Standard Section Audit /uestion 0indings om!liance
information
security in the
-usiness
continuity
management
!rocess
$e%eloping an$ maintaining business continuity
trougout te organization.
eter tis process un$erstan$s te ris's teorganization is facing- i$entify business critical assets-i$entify inci$ent impacts- consi$er te implementationof a$$itional pre%entati%e controls an$ $ocumentingte business continuity plans a$$ressing te securityre#uirements.
3>.3./ 34.3./ *usiness
continuity and
ris" assessment
eter e%ents tat cause interruption to business process is i$entifie$ along )it te probability an$impact of suc interruptions an$ teir conse#uence forinformation security.
3>.3. 34.3.evelo!ing and
im!lementing
continuity
!lans including
information
security
eter plans )ere $e%elope$ to maintain an$ restore business operations- ensure a%ailability of information
)itin te re#uire$ le%el in te re#uire$ time framefollo)ing an interruption or failure to business
processes.
eter te plan consi$ers i$entification an$
agreement of responsibilities- i$entification ofacceptable loss- implementation of reco%ery an$restoration proce$ure- $ocumentation of proce$ure an$regular testing.
3>.3.4 34.3.4*usiness
continuity
eter tere is a single frame)or' of &usinesscontinuity plan.
eter tis frame)or' is maintaine$ to ensure tat
Page 5
7/23/2019 IT Audit Checklist
http://slidepdf.com/reader/full/it-audit-checklist 36/40
Audit hec"list #$%&'%'$&5
Information Security Management Audit hec" ,ist
+eference Audit area) o-ective and (uestion +esults
hec"list Standard Section Audit /uestion 0indings om!liance
!lanning
frame1or"
all plans are consistent an$ i$entify priorities for
testing an$ maintenance.
eter business continuity plan a$$resses tei$entifie$ information security re#uirement.
3>.3.5 34.3.53esting)
maintaining
and re6
assessing-usiness
continuity
!lans
eter &usiness continuity plans are teste$ regularlyto ensure tat tey are up to $ate an$ effecti%e.
eter business continuity plan tests ensure tat allmembers of te reco%ery team an$ oter rele%ant staff
are a)are of te plans an$ teir responsibility for business continuity an$ information security an$ 'no)teir role )en plan is e%o'e$.
Compliance33.3 35.3
'ompliance %ith legal requirements
33.3.3 35.3.3Identification
of a!!lica-le
legislation
eter all rele%ant statutory- regulatory- contractualre#uirements an$ organizational approac to meet te
re#uirements )ere explicitly $efine$ an$ $ocumente$for eac information system an$ organization.
eter specific controls an$ in$i%i$ualresponsibilities to meet tese re#uirements )ere$efine$ an$ $ocumente$.
Page 6
7/23/2019 IT Audit Checklist
http://slidepdf.com/reader/full/it-audit-checklist 37/40
Audit hec"list #$%&'%'$&5
Information Security Management Audit hec" ,ist
+eference Audit area) o-ective and (uestion +esults
hec"list Standard Section Audit /uestion 0indings om!liance
33.3./ 35.3./Intellectual
!ro!erty rights
:IP+;
eter tere are proce$ures to ensure compliance
)it legislati%e- regulatory an$ contractualre#uirements on te use of material in respect of )ic
tere may be intellectual property rigts an$ on te useof proprietary soft)are pro$ucts.
eter te proce$ures are )ell implemente$.
eter controls suc as1 publising intellectual property rigts compliance policy- proce$ures for
ac#uiring soft)are- policy a)areness- maintaining proof of o)nersip- complying )it soft)are termsan$ con$itions are consi$ere$.
33.3. 35.3.Protection of
organizational
records
eter important recor$s of te organization is protecte$ from loss $estruction an$ falsification- inaccor$ance )it statutory- regulatory- contractual an$
business re#uirement.
eter consi$eration is gi%en to possibility of$eterioration of me$ia use$ for storage of recor$s.
eter $ata storage systems )ere cosen so tat
re#uire$ $ata can be retrie%e$ in an acceptabletimeframe an$ format- $epen$ing on re#uirements to
be fulfille$.
33.3.4 35.3.4ata
!rotection and
!rivacy of
eter $ata protection an$ pri%acy is ensure$ as perrele%ant legislation- regulations an$ if applicable as per
te contractual clauses.
Page :
7/23/2019 IT Audit Checklist
http://slidepdf.com/reader/full/it-audit-checklist 38/40
Audit hec"list #$%&'%'$&5
Information Security Management Audit hec" ,ist
+eference Audit area) o-ective and (uestion +esults
hec"list Standard Section Audit /uestion 0indings om!liance
!ersonal
information
33.3.5 35.3.5Prevention of
misuse of
information
!rocessing
facilities
eter use of information processing facilities forany nonbusiness or unautorize$ purpose- )itoutmanagement appro%al is treate$ as improper use of tefacility.
eter a logon a )arning message is presente$ on
te computer screen prior to logon. eter te useras to ac'no)le$ge te )arning an$ reactappropriately to te message on te screen to continue)it te logon process.
eter legal a$%ice is ta'en before implementing anymonitoring proce$ures.
33.3.6 35.3.6+egulation of
cry!togra!hic
controls
eter te cryptograpic controls are use$ incompliance )it all rele%ant agreements- la)s- an$
regulations.
33./ 35./
'ompliance %ith security policies an stanars* an technical compliance
33./.3 35./.3om!liance
1ith security
!olicies and
eter managers ensure tat all security proce$ures)itin teir area of responsibility are carrie$ outcorrectly to acie%e compliance )it security policiesan$ stan$ar$s.
Page ;
7/23/2019 IT Audit Checklist
http://slidepdf.com/reader/full/it-audit-checklist 39/40
Audit hec"list #$%&'%'$&5
Information Security Management Audit hec" ,ist
+eference Audit area) o-ective and (uestion +esults
hec"list Standard Section Audit /uestion 0indings om!liance
standardsDo managers regularly re%ie) te compliance of
information processing facility )itin teir area ofresponsibility for compliance )it appropriate security
policy an$ proce$ure
33././ 35././3echnical
com!liance
chec"ing
eter information systems are regularly cec'e$ for
compliance )it security implementation stan$ar$s.
eter te tecnical compliance cec' is carrie$ out by- or un$er te super%ision of- competent- autorize$
personnel.33. 35.
Information Systems auit consierations
33..3 35..3Information
systems audit
controls
eter au$it re#uirements an$ acti%ities in%ol%ingcec's on operational systems soul$ be carefully
planne$ an$ agree$ to minimise te ris' of $isruptionsto business process.
eter te au$it re#uirements- scope are agree$ )itappropriate management.
33../ 35../ Protection of
information
system audit
tools
eter access to information system au$it tools sucas soft)are or $ata files are protecte$ to pre%ent any possible misuse or compromise.
eter information system au$it tools are separate$from $e%elopment an$ operational systems- unlessgi%en an appropriate le%el of a$$itional protection.
Page =
7/23/2019 IT Audit Checklist
http://slidepdf.com/reader/full/it-audit-checklist 40/40
Audit hec"list #$%&'%'$&5
Page 4>
Recommended