IT Audit Checklist

7/23/2019 IT Audit Checklist

http://slidepdf.com/reader/full/it-audit-checklist 1/40

Information Security ManagementTable of Contents

Security Policy............................................................................................................................................................................................4

Information security policy......................................................................................................................................................................4

Organization of information security......................................................................................................................................................5

Internal Organization...............................................................................................................................................................................5

External Parties........................................................................................................................................................................................5

Asset Management.....................................................................................................................................................................................5

Responsibility for assets..........................................................................................................................................................................5Information classification........................................................................................................................................................................5

Human resources security.........................................................................................................................................................................5

Prior to employment................................................................................................................................................................................5

During employment.................................................................................................................................................................................5Termination or cange of employment....................................................................................................................................................5

Physical and Environmental Security...................................................................................................... ............................................. ...5

!ecure "reas............................................................................................................................................................................................5

E#uipment !ecurity.................................................................................................................................................................................5

ommunications and O!erations Management.....................................................................................................................................5

Operational Proce$ures an$ responsibilities............................................................................... ......................................................... ....5Tir$ party ser%ice $eli%ery management...............................................................................................................................................5!ystem planning an$ acceptance.............................................................................................................................................................5

Protection against malicious an$ mobile co$e................................................................................................................... ......................5&ac'up.....................................................................................................................................................................................................5

(et)or' !ecurity *anagement..................................................................................... ......................................................... ........... ......5

*e$ia an$ling........................................................................................................................................................................................5Excange of Information.........................................................................................................................................................................5



Audit hec"list #$%&'%'$&5

Electronic Commerce !er%ices................................................................................................................................................................5

*onitoring...............................................................................................................................................................................................5

Access ontrol............................................................................................................................................................................................5

&usiness Re#uirement for "ccess Control..............................................................................................................................................5+ser "ccess *anagement........................................................................................................................................................................5+ser Responsibilities...............................................................................................................................................................................5

(et)or' "ccess Control..................................................................... ........................................................................ ..................... ........5Operating system access control..............................................................................................................................................................5

"pplication an$ Information "ccess Control..........................................................................................................................................5

*obile Computing an$ tele)or'ing........................................................................................................................................................5Information systems ac(uisition) develo!ment and maintenance........................................................................................................ .5

!ecurity re#uirements of information systems........................................................................................................................................5Correct processing in applications...........................................................................................................................................................5

Cryptograpic controls............................................................................................................................................................................5!ecurity of system files............................................................................................................................................................................5

!ecurity in $e%elopment an$ support processes......................................................................................................................................5

Tecnical ,ulnerability *anagement.................................................................................... ...................................................... ........... .5Information security incident management............................................................................................................................................5

Reporting information security e%ents an$ )ea'nesses................................................................................................ ................ ..........5*anagement of information security inci$ents an$ impro%ements........................................................................................................5

*usiness ontinuity Management............................................................................................................................................................5

Information security aspects of business continuity management..........................................................................................................5om!liance.................................................................................................................................................................................................5

Compliance )it legal re#uirements.......................................................................................................................................................5Compliance )it security policies an$ stan$ar$s- an$ tecnical compliance.................................................................. .......... ........... ..5

Information !ystems au$it consi$erations...............................................................................................................................................5

+eferences...................................................................................................................................................................................................5

Page /




Information !ecurity *anagement "u$it Cec' 0ist

"u$itor (ame122222222222222222222222222 "u$it Date1222222222222222222222222222

Information Security Management Audit hec" ,ist

+eference Audit area) o-ective and (uestion +esults

hec"list Standard Section Audit /uestion 0indings om!liance

Security Policy3.3 5.3

Information security policy

3.3.3 5.3.3Information

security !olicy

document

eter tere exists an Information security policy-)ic is appro%e$ by te management- publise$ an$communicate$ as appropriate to all employees.

eter te policy states management commitmentan$ sets out te organizational approac to managinginformation security.

3.3./ 5.3./ +evie1 of

Informational

Security Policy

eter te Information !ecurity Policy is re%ie)e$ at planne$ inter%als- or if significant canges occur toensure its continuing suitability- a$e#uacy an$effecti%eness.

eter te Information !ecurity policy as an o)ner-)o as appro%e$ management responsibility for$e%elopment- re%ie) an$ e%aluation of te security

policy.

Page







eter any $efine$ Information !ecurity Policy

re%ie) proce$ures exist an$ $o tey inclu$ere#uirements for te management re%ie).

eter te results of te management re%ie) areta'en into account.

eter management appro%al is obtaine$ for tere%ise$ policy.

Organization of information security/.3 6.3

Internal Organization

/.3.3 6.3.3Management

commitment to

information

security

eter management $emonstrates acti%e support forsecurity measures )itin te organization. Tis can be$one %ia clear $irection- $emonstrate$ commitment-explicit assignment an$ ac'no)le$gement ofinformation security responsibilities.

/.3./ 6.3./Information

security

coordination

eter information security acti%ities are coor$inate$ by representati%es from $i%erse parts of teorganization- )it pertinent roles an$ responsibilities.

/.3. 6.3.Allocation of

information

eter responsibilities for te protection ofin$i%i$ual assets- an$ for carrying out specific security

processes- )ere clearly i$entifie$ an$ $efine$.

Page 4







security

res!onsi-ilities

/.3.4 6.3.4Authorization

!rocess for

information

!rocessing

facilities

eter management autorization process is $efine$an$ implemente$ for any ne) information processingfacility )itin te organization.

/.3.5 6.3.5onfidentiality

agreements

eter te organization7s nee$ for Confi$entiality or (onDisclosure "greement 8(D"9 for protection ofinformation is clearly $efine$ an$ regularly re%ie)e$.

Does tis a$$ress te re#uirement to protect teconfi$ential information using legal enforceable terms

/.3.6 6.3.6ontact 1ith

authorities

eter tere exists a proce$ure tat $escribes )en-an$ by )om1 rele%ant autorities suc as 0a)enforcement- fire $epartment etc.- soul$ be contacte$-

an$ o) te inci$ent soul$ be reporte$.

/.3.: 6.3.:ontact 1ith

s!ecial interest

grou!s

eter appropriate contacts )it special interestgroups or oter specialist security forums- an$

professional associations are maintaine$.

/.3.; 6.3.;Inde!endent

eter te organization7s approac to managinginformation securityan$ its implementation- is

Page 5







revie1 of

information

security

re%ie)e$ in$epen$ently at planne$ inter%als- or )en

ma<or canges to security implementation occur.

/./ 6./

External Parties

/./.3 6./.3Identification

of ris"s related

to e2ternal

!arties

eter ris's to te organization7s information an$information processing facility- from a processin%ol%ing external party access- is i$entifie$ an$appropriate control measures implemente$ beforegranting access.

/././ 6././Addressing

security 1hen

dealing 1ith

customers

eter all i$entifie$ security re#uirements arefulfille$ before granting customer access to te

organization7s information or assets.

/./. 6./.Addressing

Security in

third !arty

agreements

eter te agreement )it tir$ parties- in%ol%ingaccessing- processing- communicating or managing teorganization7s information or information processingfacility- or intro$ucing pro$ucts or ser%ices toinformation processing facility- complies )it allappropriate security re#uirements.

Page 6







Asset Management.3 :.3

Responsibility for assets

.3.3 :.3.3Inventory of

assets

eter all assets are i$entifie$ an$ an in%entory orregister is maintaine$ )it all te important assets.

.3./ :.3./O1nershi! of

assets

eter eac asset i$entifie$ as an o)ner- a $efine$an$ agree$upon security classification- an$ accessrestrictions tat are perio$ically re%ie)e$.

.3. :.3.Acce!ta-le use

of assets

eter regulations for acceptable use of informationan$ assets associate$ )it an information processingfacility )ere i$entifie$- $ocumente$ an$ implemente$.

./ :./

Information classification

./.3 :./.3

lassificationguidelines

eter te information is classifie$ in terms of its

%alue- legal re#uirements- sensiti%ity an$ criticality tote organization.

././ :././Information

la-elling and

handling

eter an appropriate set of proce$ures are $efine$

for information labelling an$ an$ling- in accor$ance)it te classification sceme a$opte$ by te

organization.

Page :







Human resources security4.3 ;.3

Prior to employment

4.3.3 ;.3.3+oles and

res!onsi-ilities

eter employee security roles an$ responsibilities-contractors an$ tir$ party users )ere $efine$ an$$ocumente$ in accor$ance )it te organization7sinformation security policy.

ere te roles an$ responsibilities $efine$ an$ clearly

communicate$ to <ob can$i$ates $uring te preemployment process

4.3./ ;.3./Screening

eter bac'groun$ %erification cec's for allcan$i$ates for employment- contractors- an$ tir$ party

users )ere carrie$ out in accor$ance to te rele%antregulations.

Does te cec' inclu$e caracter reference-confirmation of claime$ aca$emic an$ professional

#ualifications an$ in$epen$ent i$entity cec's

4.3. ;.3.3erms and

conditions of

em!loyment

eter employee- contractors an$ tir$ party usersare as'e$ to sign confi$entiality or non$isclosureagreement as a part of teir initial terms an$ con$itionsof te employment contract.

eter tis agreement co%ers te informationsecurity responsibility of te organization an$ te

Page ;







employee- tir$ party users an$ contractors.

4./ ;./

During employment

4./.3 ;./.3Management

res!onsi-ilities

eter te management re#uires employees-contractors an$ tir$ party users to apply security inaccor$ance )it te establise$ policies an$

proce$ures of te organization.

4././ ;././ Information

security

a1areness)

education and

training

eter all employees in te organization- an$ )ererele%ant- contractors an$ tir$ party users- recei%eappropriate security a)areness training an$ regularup$ates in organizational policies an$ proce$ures as it

pertains to teir <ob function.

4./. ;./.isci!linary

!rocess

eter tere is a formal $isciplinary process for teemployees )o a%e committe$ a security breac.

4. ;.

Termination or change of employment

4..3 ;..33ermination

res!onsi-ilities

eter responsibilities for performing employmenttermination- or cange of employment- are clearly$efine$ an$ assigne$.

4../ ;../+eturn of

eter tere is a process in place tat ensures all

employees- contractors an$ tir$ party users surren$erall of te organization7s assets in teir possession upon

Page =







assetstermination of teir employment- contract or

agreement.

4.. ;..+emoval of

access rights

eter access rigts of all employees- contractors

an$ tir$ party users- to information an$ information processing facilities- )ill be remo%e$ upon termination

of teir employment- contract or agreement- or )ill bea$<uste$ upon cange.

Physical and Environmental Security5.3 =.3

Secure Areas

5.3.3 =.3.3Physical

Security

Perimeter

eter a pysical bor$er security facility as beenimplemente$ to protect te information processingser%ice.

!ome examples of suc security facilities are car$

control entry gates- )alls- manne$ reception- etc.

5.3./ =.3./Physical entry

ontrols

eter entry controls are in place to allo) only

autorize$ personnel into %arious areas )itin teorganization.

5.3. =.3.Securing

Offices) rooms

and facilities

eter te rooms- )ic a%e te information processing ser%ice- are loc'e$ or a%e loc'ablecabinets or safes.

Page 3>







5.3.4 =.3.4Protecting

against

e2ternal and

environmental

threats

eter te pysical protection against $amage from

fire- floo$- eart#ua'e- explosion- ci%il unrest an$ oter forms of natural or manma$e $isaster soul$ be

$esigne$ an$ applie$.

eter tere is any potential treat fromneigbouring premises.

5.3.5 =.3.5or"ing in

Secure Areas

eter pysical protection an$ gui$elines for)or'ing in secure areas is $esigne$ an$ implemente$.

5.3.6 =.3.6Pu-lic access

delivery and

loading areas

eter te $eli%ery- loa$ing- an$ oter areas )ereunautorize$ persons may enter te premises are

controlle$- an$ information processing facilities areisolate$- to a%oi$ unautorize$ access.

5./ =./

Equipment Security

5./.3 =./.3E(ui!ment

siting

!rotection

eter te e#uipment is protecte$ to re$uce te ris'sfrom en%ironmental treats an$ azar$s- an$opportunities for unautorize$ access.

5././ =././Su!!orting

eter te e#uipment is protecte$ from po)erfailures an$ oter $isruptions cause$ by failures in

Page 33







utilitiessupporting utilities.

eter permanence of po)er supplies- suc as amultiple fee$- an +ninterruptible Po)er !upply 8ups9-a bac'up generator- etc. are being utilize$.

5./. =./.a-ling

Security

eter te po)er an$ telecommunications cable-carrying $ata or supporting information ser%ices- is

protecte$ from interception or $amage.

eter tere are any a$$itional security controls in place for sensiti%e or critical information.

5./.4 =./.4E(ui!ment

Maintenance

eter te e#uipment is correctly maintaine$ toensure its continue$ a%ailability an$ integrity.

eter te e#uipment is maintaine$- as per tesupplier7s recommen$e$ ser%ice inter%als an$specifications.

eter te maintenance is carrie$ out only byautorize$ personnel.

eter logs are maintaine$ )it all suspecte$ oractual faults an$ all pre%enti%e an$ correcti%e

measures.

eter appropriate controls are implemente$ )ile

sen$ing e#uipment off premises.

"re te e#uipment co%ere$ by insurance an$ te

insurance re#uirements satisfie$

Page 3/







5./.5 =./.5Securing of

e(ui!ment off6

!remises

eter ris's )ere assesse$ )it regar$s to any

e#uipment usage outsi$e an organization7s premises-an$ mitigation controls implemente$.

eter te usage of an information processingfacility outsi$e te organization as been autorize$ byte management.

5./.6 =./.6Secure dis!osal

or re6use ofe(ui!ment

eter all e#uipment- containing storage me$ia- iscec'e$ to ensure tat any sensiti%e information or

license$ soft)are is pysically $estroye$- or securelyo%er)ritten- prior to $isposal or reuse.

5./.: =./.:+emoval of

!ro!erty

eter any controls are in place so tat e#uipment-information an$ soft)are is not ta'en offsite )itout

prior autorization.

Communications and Operations Management6.3 3>.3

Operational Proceures an responsibilities

6.3.3 3>.3.3ocumented

O!erating

!rocedures

eter te operating proce$ure is $ocumente$-maintaine$ an$ a%ailable to all users )o nee$ it.

eter suc proce$ures are treate$ as formal$ocuments- an$ terefore any canges ma$e nee$management autorization.

Page 3







6.3./ 3>.3./hange

management

eter all canges to information processing

facilities an$ systems are controlle$.

6.3. 3>.3.Segregation of

duties

eter $uties an$ areas of responsibility areseparate$- in or$er to re$uce opportunities forunautorize$ mo$ification or misuse of information- or ser%ices.

6.3.4 3>.3.4 Se!aration of

develo!ment)

test and

o!erational

facilities

eter te $e%elopment an$ testing facilities areisolate$ from operational facilities. ?or example-$e%elopment an$ pro$uction soft)are soul$ be run on$ifferent computers. ere necessary- $e%elopmentan$ pro$uction net)or's soul$ be 'ept separate fromeac oter.

6./ 3>./

Thir party ser!ice eli!ery management

6./.3 3>./.3Service

delivery

eter measures are ta'en to ensure tat te securitycontrols- ser%ice $efinitions an$ $eli%ery le%els-

inclu$e$ in te tir$ party ser%ice $eli%ery agreement-are implemente$- operate$ an$ maintaine$ by a tir$

party.

6././ 3>././Monitoring

and revie1 of

third !arty

eter te ser%ices- reports an$ recor$s pro%i$e$ bytir$ party are regularly monitore$ an$ re%ie)e$.

eter au$ita are con$ucte$ on te abo%e tir$ party

Page 34







servicesser%ices- reports an$ recor$s- on regular inter%al.

6./. 3>./.Managing

changes to

third !arty

services

eter canges to pro%ision of ser%ices- inclu$ingmaintaining an$ impro%ing existing informationsecurity policies- proce$ures an$ controls- aremanage$.

Does tis ta'e into account criticality of businesssystems- processes in%ol%e$ an$ reassessment of ris's

6. 3>.

System planning an acceptance

6..3 3>..3a!acity

Management

eter te capacity $eman$s are monitore$ an$ pro<ections of future capacity re#uirements are ma$e-to ensure tat a$e#uate processing po)er an$ storageare a%ailable.

Example1 *onitoring ar$ $is' space- R"* an$ CP+on critical ser%ers.

6../ 3>../

Systemacce!tance

eter system acceptance criteria are establise$ for

ne) information systems- upgra$es an$ ne) %ersions.

eter suitable tests )ere carrie$ out prior toacceptance.

6.4 3>.4

Protection against malicious an mobile coe

Page 35







6.4.3 3>.4.3ontrols

against

malicious code

eter $etection- pre%ention an$ reco%ery controls-

to protect against malicious co$e an$ appropriate usera)areness proce$ures- )ere $e%elope$ an$

implemente$.

6.4./ 3>.4./ontrols

against mo-ile

code

eter only autorize$ mobile co$e is use$.

eter te configuration ensures tat autorize$mobile co$e operates accor$ing to security policy.

eter execution of unautorize$ mobile co$e is pre%ente$.

8*obile co$e is soft)are co$e tat transfers from onecomputer to anoter computer an$ ten executesautomatically. It performs a specific function )itlittle or no user inter%ention. *obile co$e is associate$)it a number of mi$$le)are ser%ices.9

6.5 3>.5

"ac#up

6.5.3 3>.5.3

Information-ac"u!

eter bac'ups of information an$ soft)are is ta'en

an$ teste$ regularly in accor$ance )it te agree$ bac'up policy.

eter all essential information an$ soft)are can bereco%ere$ follo)ing a $isaster or me$ia failure.

6.6 3>.6

$et%or# Security &anagement

Page 36







6.6.3 3>.6.37et1or"

ontrols

eter te net)or' is a$e#uately manage$ an$

controlle$- to protect from treats- an$ to maintainsecurity for te systems an$ applications using te

net)or'- inclu$ing te information in transit.

eter controls )ere implemente$ to ensure te

security of te information in net)or's- an$ te protection of te connecte$ ser%ices from treats- suc

as unautorize$ access.

6.6./ 3>.6./Security of

net1or"

services

eter security features- ser%ice le%els an$management re#uirements- of all net)or' ser%ices- arei$entifie$ an$ inclu$e$ in any net)or' ser%ices

agreement.

eter te ability of te net)or' ser%ice pro%i$er- tomanage agree$ ser%ices in a secure )ay- is $etermine$an$ regularly monitore$- an$ te rigt to au$it isagree$ upon.

6.: 3>.:

&eia hanling

6.:.3 3>.:.3Management

of remova-le

media

eter proce$ures exist for management of

remo%able me$ia- suc as tapes- $is's- cassettes-memory car$s- an$ reports.

eter all proce$ures an$ autorization le%els areclearly $efine$ an$ $ocumente$.

Page 3:







6.:./ 3>.:./is!osal of

Media

eter te me$ia tat are no longer re#uire$ are

$ispose$ of securely an$ safely- as per formal proce$ures.

6.:. 3>.:.Information

handling

!rocedures

eter a proce$ure exists for an$ling informationstorage.

Does tis proce$ure a$$ress issues- suc asinformation protection- from unautorize$ $isclosureor misuse

6.:.4 3>.:.4Security of

system

documentation

eter te system $ocumentation is protecte$ againstunautorize$ access.

6.; 3>.;

Exchange of Information

6.;.3 3>.;.3Information

e2change

!olicies and!rocedures

eter tere is a formal excange policy- proce$ure

an$ control in place to ensure te protection ofinformation.

Does te proce$ure an$ control co%er using electroniccommunication facilities for information excange.

6.;./ 3>.;./E2change

agreements

eter agreements are establise$ concerningexcange of information an$ soft)are bet)een te

organization an$ external parties.

eter te security content of te agreement reflects

Page 3;







te sensiti%ity of te business information in%ol%e$.

6.;. 3>.;.Physical Media

in transit

eter me$ia containing information is protecte$against unautorize$ access- misuse or corruption

$uring transportation beyon$ te organization7s pysical boun$ary.

6.;.4 3>.;.4Electronic

Messaging

eter te information in%ol%e$ in electronicmessaging is )ell protecte$.

8Electronic messaging inclu$es but is not restricte$ toEmail- Electronic Data Intercange- Instant *essaging9

6.;.5 3>.;.5*usiness

information

systems

eter policies an$ proce$ures are $e%elope$ an$enforce$ to protect information associate$ )it te

interconnection of business information systems.

6.= 3>.=

Electronic 'ommerce Ser!ices

6.=.3 3>.=.3Electronic

ommerce

eter te information in%ol%e$ in electroniccommerce passing o%er te public net)or' is protecte$

from frau$ulent acti%ity- contract $ispute- an$ anyunautorize$ access or mo$ification.

eter !ecurity control suc as application ofcryptograpic controls are ta'en into consi$eration.

eter electronic commerce arrangements bet)eentra$ing partners inclu$e a $ocumente$ agreement-)ic commits bot parties to te agree$ terms of

Page 3=







tra$ing- inclu$ing $etails of security issues.

6.=./ 3>.=./On6,ine

3ransactions

eter information in%ol%e$ in online transactions is protecte$ to pre%ent incomplete transmission- mis

routing- unautorize$ message alteration- unautorize$$isclosure- unautorize$ message $uplication or replay.

6.=. 3>.=.Pu-licly

availa-le

information

eter te integrity of te publicly a%ailableinformation is protecte$ against any unautorize$

mo$ification.

6.3> 3>.3>

&onitoring

6.3>.3 3>.3>.3Audit logging

eter au$it logs recor$ing user acti%ities-exceptions- an$ information security e%ents are

pro$uce$ an$ 'ept for an agree$ perio$ to assist infuture in%estigations an$ access control monitoring.

eter appropriate Pri%acy protection measures areconsi$ere$ in "u$it log maintenance.

6.3>./ 3>.3>./Monitoring

system use

eter proce$ures are $e%elope$ an$ enforce$ formonitoring system use for information processingfacility.

eter te results of te monitoring acti%ity re%ie)e$regularly.

eter te le%el of monitoring re#uire$ for in$i%i$ualinformation processing facility is $etermine$ by a ris'

Page />







assessment.

6.3>. 3>.3>.Protection of

log information

eter logging facility an$ log information are )ell protecte$ against tampering an$ unautorize$ access.

6.3>.4 3>.3>.4Administrator

and o!erator

logs

eter system a$ministrator an$ system operatoracti%ities are logge$.

eter te logge$ acti%ities are re%ie)e$ on regular basis.

6.3>.5 3>.3>.50ault logging

eter faults are logge$ analyse$ an$ appropriateaction ta'en.

eter le%el of logging re#uire$ for in$i%i$ualsystem are $etermine$ by a ris' assessment- ta'ing

performance $egra$ation into account.

6.3>.6 3>.3>.6loc"

synchronisatio

n

eter system cloc's of all information processingsystem )itin te organization or security $omain issyncronise$ )it an agree$ accurate time source.

8Te correct setting of computer cloc' is important toensure te accuracy of au$it logs9

Access Control:.3 33.3

"usiness Requirement for Access 'ontrol

Page /3







:.3.3 33.3.3Access ontrol

Policy

eter an access control policy is $e%elope$ an$

re%ie)e$ base$ on te business an$ securityre#uirements.

eter bot logical an$ pysical access control areta'en into consi$eration in te policy

eter te users an$ ser%ice pro%i$ers )ere gi%en aclear statement of te business re#uirement to be met

by access controls.

:./ 33./

(ser Access &anagement

:./.3 33./.38ser

+egistration

eter tere is any formal user registration an$ $eregistration proce$ure for granting access to all

information systems an$ ser%ices.

:././ 33././Privilege

Management

eter te allocation an$ use of any pri%ileges ininformation system en%ironment is restricte$ an$controlle$ i.e.- Pri%ileges are allocate$ on nee$touse

basis- pri%ileges are allocate$ only after formal

autorization process.:./. 33./.

8ser Pass1ord

Management

Te allocation an$ reallocation of pass)or$s soul$ becontrolle$ troug a formal management process.

eter te users are as'e$ to sign a statement to 'eep

te pass)or$ confi$ential.

Page //







:./.4 33./.4+evie1 of user

access rights

eter tere exists a process to re%ie) user access

rigts at regular inter%als. Example1 !pecial pri%ilegere%ie) e%ery monts- normal pri%ileges e%ery 6

mots.

:. 33.

(ser Responsibilities

:..3 33..3Pass1ord use

eter tere are any security practice in place togui$e users in selecting an$ maintaining secure

pass)or$s.

:../ 33../8nattended

user e(ui!ment

eter te users an$ contractors are ma$e a)are ofte security re#uirements an$ proce$ures for protectingunatten$e$ e#uipment. .

Example1 0ogoff )en session is finise$ or set up

auto log off- terminate sessions )en finise$ etc.-

:.. 33..lear des" and

clear screen

!olicy

eter te organisation as a$opte$ clear $es' policy

)it regar$s to papers an$ remo%able storage me$ia

eter te organisation as a$opte$ clear screen

policy )it regar$s to information processing facility

:.4 33.4

$et%or# Access 'ontrol

:.4.3 33.4.3Policy on use of

net1or"

eter users are pro%i$e$ )it access only to te

ser%ices tat tey a%e been specifically autorize$ touse.

Page /







serviceseter tere exists a policy tat $oes a$$ress

concerns relating to net)or's an$ net)or' ser%ices.

:.4./ 33.4./8ser

authentication

for e2ternal

connections

eter appropriate autentication mecanism is use$

to control access by remote users.

:.4. 33.4.E(ui!mentidentification

in net1or"s

eter automatic e#uipment i$entification is

consi$ere$ as a means to autenticate connections fromspecific locations an$ e#uipment.

:.4.4 33.4.4+emote

diagnostic and

configuration

!ort !rotection

eter pysical an$ logical access to $iagnostic portsare securely controlle$ i.e.- protecte$ by a security

mecanism.

:.4.5 33.4.5

Segregation innet1or"s

eter groups of information ser%ices- users an$

information systems are segregate$ on net)or's.

eter te net)or' 8)ere business partner7s an$@ ortir$ parties nee$ access to information system9 is

segregate$ using perimeter security mecanisms sucas fire)alls.

eter consi$eration is ma$e to segregation of

Page /4







)ireless net)or's from internal an$ pri%ate net)or's.

:.4.6 33.4.67et1or"

connection

control

eter tere exists an access control policy )icstates net)or' connection control for sare$ net)or's-

especially for tose exten$ across organization7s boun$aries.

:.4.: 33.4.:7et1or"

routing control

eter te access control policy states routingcontrols are to be implemente$ for net)or's.

eter te routing controls are base$ on te positi%esource an$ $estination i$entification mecanism.

:.5 33.5

Operating system access control

:.5.3 33.5.3Secure log6on

!rocedures

eter access to operating system is controlle$ bysecure logon proce$ure.

:.5./ 33.5./

8seridentification

and

authentication

eter uni#ue i$entifier 8user ID9 is pro%i$e$ to

e%ery user suc as operators- system a$ministrators an$all oter staff inclu$ing tecnical.

eter suitable autentication tecni#ue is cosen tosubstantiate te claime$ i$entity of user.

eter generic user accounts are supplie$ only un$erexceptional circumstances )ere tere is a clear

business benefit. "$$itional controls may be necessary

Page /5







to maintain accountability.

:.5. 33.5.Pass1ord

management

system

eter tere exists a pass)or$ management systemtat enforces %arious pass)or$ controls suc as1

in$i%i$ual pass)or$ for accountability- enforce pass)or$ canges- store pass)or$s in encrypte$ form-

not $isplay pass)or$s on screen etc.-

:.5.4 33.5.48se of system

utilities

eter te utility programs tat migt be capable of

o%erri$ing system an$ application controls is restricte$

an$ tigtly controlle$.

:.5.5 33.5.5Session time6

out

eter inacti%e session is sut$o)n after a $efine$ perio$ of inacti%ity.

8" limite$ form of timeouts can be pro%i$e$ for somesystems- )ic clears te screen an$ pre%entsunautorize$ access but $oes not close $o)n teapplication or net)or' sessions.

:.5.6 33.5.6,imitation of

connectiontime

eter tere exists restriction on connection time forigris' applications. Tis type of set up soul$ beconsi$ere$ for sensiti%e applications for )ic teterminals are installe$ in igris' locations.

:.6 33.6

Application an Information Access 'ontrol

:.6.3 33.6.3Information

access

eter access to information an$ application systemfunctions by users an$ support personnel is restricte$

in accor$ance )it te $efine$ access control policy.

Page /6







restriction

:.6./ 33.6./Sensitive

system

isolation

eter sensiti%e systems are pro%i$e$ )it $e$icate$8isolate$9 computing en%ironment suc as running on a$e$icate$ computer- sare resources only )it truste$application systems- etc.-

:.: 33.:

&obile 'omputing an tele%or#ing

:.:.3 33.:.3Mo-ile

com!uting and

communication

s

eter a formal policy is in place- an$ appropriatesecurity measures are a$opte$ to protect against teris' of using mobile computing an$ communicationfacilities.

!ome example of *obile computing an$

communications facility inclu$e1 noteboo's- palmtops-laptops- smart car$s- mobile pones.

eter ris's suc as )or'ing in unprotecte$en%ironment is ta'en into account by *obilecomputing policy.

:.:./ 33.:./3ele1or"ing

eter policy- operational plan an$ proce$ures are

$e%elope$ an$ implemente$ for tele)or'ing acti%ities.

eter tele)or'ing acti%ity is autorize$ an$controlle$ by management an$ $oes it ensure tatsuitable arrangements are in place for tis )ay of)or'ing.

Page /:







Information systems acquisition development and maintenance;.3 3/.3

Security requirements of information systems

;.3.3 3/.3.3Security

re(uirements

analysis and

s!ecification

eter security re#uirements for ne) informationsystems an$ enancement to existing informationsystem specify te re#uirements for security controls.

eter te !ecurity re#uirements an$ controlsi$entifie$ reflects te business %alue of information

assets in%ol%e$ an$ te conse#uence from failure of!ecurity.

eter system re#uirements for information securityan$ processes for implementing security is integrate$

in te early stages of information system pro<ects.

;./ 3/./

'orrect processing in applications

;./.3 3/./.3

In!ut datavalidation

eter $ata input to application system is %ali$ate$

to ensure tat it is correct an$ appropriate.

eter te controls suc as1 Different types of inputs

to cec' for error messages- Proce$ures for respon$ingto %ali$ation errors- $efining responsibilities of all

personnel in%ol%e$ in $ata input process etc.- areconsi$ere$.

Page /;







;././ 3/././ontrol of

internal

!rocessing

eter %ali$ation cec's are incorporate$ into

applications to $etect any corruption of informationtroug processing errors or $eliberate acts.

eter te $esign an$ implementation of applicationsensure tat te ris's of processing failures lea$ing to aloss of integrity are minimise$.

;./. 3/./.Message

integrity

eter re#uirements for ensuring an$ protectingmessage integrity in applications are i$entifie$- an$

appropriate controls i$entifie$ an$ implemente$.eter an security ris' assessment )as carrie$ out to$etermine if message integrity is re#uire$- an$ toi$entify te most appropriate meto$ ofimplementation.

;./.4 3/./.4Out!ut data

validation

eter te $ata output of application system is%ali$ate$ to ensure tat te processing of store$information is correct an$ appropriate tocircumstances.

;. 3/.

'ryptographic controls

;..3 3/..3Policy on use of

cry!togra!hic

controls

eter te organization as Policy on use ofcryptograpic controls for protection of information. .

eter te policy is successfully implemente$.

Page /=







eter te cryptograpic policy $oes consi$er te

management approac to)ar$s te use ofcryptograpic controls- ris' assessment results to

i$entify re#uire$ le%el of protection- 'ey managementmeto$s an$ %arious stan$ar$s for effecti%e

implementation

;../ 3/../9ey

management

eter 'ey management is in place to support te

organizations use of cryptograpic tecni#ues.

eter cryptograpic 'eys are protecte$ againstmo$ification- loss- an$ $estruction.

eter secret 'eys an$ pri%ate 'eys are protecte$against unautorize$ $isclosure.

eter e#uipments use$ to generate- store 'eys are pysically protecte$.

eter te Aey management system is base$ onagree$ set of stan$ar$s- proce$ures an$ securemeto$s.

;.4 3/.4 Security of system files

;.4.3 3/.4.3ontrol of

o!erational

soft1are

eter tere are any proce$ures in place to controlinstallation of soft)are on operational systems. 8Tis isto minimise te ris' of corruption of operationalsystems.9

Page >







;.4./ 3/.4./Protection of

system test

data

eter system test $ata is protecte$ an$ controlle$.

eter use of personal information or any sensiti%einformation for testing operational $atabase is sunne$.

;.4. 3/.4.Access ontrol

to !rogram

source code

eter strict controls are in place to restrict access to program source libraries.

8Tis is to a%oi$ te potential for unautorize$-unintentional canges.9

;.5 3/.5

Security in e!elopment an support processes

;.5.3 3/.5.3hange control

!rocedures

eter tere is strict control proce$ure in place o%erimplementation of canges to te information system.8Tis is to minimise te corruption of informationsystem.9

eter tis proce$ure a$$resses nee$ for ris'assessment- analysis of impacts of canges-

;.5./ 3/.5./

3echnicalrevie1 of

a!!lications

after o!erating

system changes

eter tere is process or proce$ure in place to

re%ie) an$ test business critical applications fora$%erse impact on organizational operations or securityafter te cange to Operating !ystems.

Perio$ically it is necessary to upgra$e operating systemi.e.- to install ser%ice pac's- patces- ot fixes etc.-

Page 3







;.5. 3/.5.+estriction on

changes to

soft1are

!ac"ages

eter mo$ifications to soft)are pac'age is

$iscourage$ an$@ or limite$ to necessary canges.

eter all canges are strictly controlle$.

;.5.4 3/.5.4Information

lea"age

eter controls are in place to pre%ent informationlea'age.

eter controls suc as scanning of outboun$ me$ia-

regular monitoring of personnel an$ system acti%ities permitte$ un$er local legislation- monitoring resource

usage are consi$ere$.

;.5.5 3/.5.5Outsourced

soft1are

develo!ment

eter te outsource$ soft)are $e%elopment is

super%ise$ an$ monitore$ by te organization.

eter points suc as1 0icensing arrangements-

escro) arrangements- contractual re#uirement for#uality assurance- testing before installation to $etectTro<an co$e etc.- are consi$ere$.

;.6 3/.6 Technical )ulnerability &anagement

;.6.3 3/.6.3ontrol of

technical

vulnera-ilities

eter timely information about tecnical

%ulnerabilities of information systems being use$ isobtaine$.

eter te organization7s exposure to suc%ulnerabilities e%aluate$ an$ appropriate measures

Page /







ta'en to mitigate te associate$ ris'.

Information security incident management=.3 3.3

Reporting information security e!ents an %ea#nesses

=.3.3 3.3.3+e!orting

informationsecurity events

eter information security e%ents are reporte$troug appropriate management cannels as #uic'lyas possible.

eter formal information security e%ent reporting

proce$ure- Inci$ent response an$ escalation proce$ureis $e%elope$ an$ implemente$.

=.3./ 3.3./+e!orting

security

1ea"nesses

eter tere exists a proce$ure tat ensures allemployees of information systems an$ ser%ices are

re#uire$ to note an$ report any obser%e$ or suspecte$security )ea'ness in te system or ser%ices.

=./ 3./

&anagement of information security incients an impro!ements

=./.3 3./.3+es!onsi-ilitie

s and

!rocedures

eter management responsibilities an$ proce$ures

)ere establise$ to ensure #uic'- effecti%e an$ or$erlyresponse to information security inci$ents.

eter monitoring of systems- alerts an$%ulnerabilities are use$ to $etect information securityinci$ents.

Page







eter te ob<ecti%e of information security inci$ent

management is agree$ )it te management.

=././ 3././,earning from

information

security

incidents

eter tere is a mecanism in place to i$entify an$

#uantify te type- %olume an$ costs of informationsecurity inci$ents.

eter te information gaine$ from te e%aluation ofte past information security inci$ents are use$ toi$entify recurring or ig impact inci$ents.

=./. 3./.ollection of

evidence

eter follo)up action against a person ororganization after an information security inci$entin%ol%es legal action 8eiter ci%il or criminal9.

eter e%i$ence relating to te inci$ent are collecte$-retaine$ an$ presente$ to conform to te rules fore%i$ence lai$ $o)n in te rele%ant <uris$iction8s9.

eter internal proce$ures are $e%elope$ an$follo)e$ )en collecting an$ presenting e%i$ence forte purpose of $isciplinary action )itin teorganization.

!usiness Continuity Management3>.3 34.3

Information security aspects of business continuity management

3>.3.3 34.3.3Including

eter tere is a manage$ process in place tat

a$$resses te information security re#uirements for

Page 4







information

security in the

-usiness

continuity

management

!rocess

$e%eloping an$ maintaining business continuity

trougout te organization.

eter tis process un$erstan$s te ris's teorganization is facing- i$entify business critical assets-i$entify inci$ent impacts- consi$er te implementationof a$$itional pre%entati%e controls an$ $ocumentingte business continuity plans a$$ressing te securityre#uirements.

3>.3./ 34.3./ *usiness

continuity and

ris" assessment

eter e%ents tat cause interruption to business process is i$entifie$ along )it te probability an$impact of suc interruptions an$ teir conse#uence forinformation security.

3>.3. 34.3.evelo!ing and

im!lementing

continuity

!lans including

information

security

eter plans )ere $e%elope$ to maintain an$ restore business operations- ensure a%ailability of information

)itin te re#uire$ le%el in te re#uire$ time framefollo)ing an interruption or failure to business

processes.

eter te plan consi$ers i$entification an$

agreement of responsibilities- i$entification ofacceptable loss- implementation of reco%ery an$restoration proce$ure- $ocumentation of proce$ure an$regular testing.

3>.3.4 34.3.4*usiness

continuity

eter tere is a single frame)or' of &usinesscontinuity plan.

eter tis frame)or' is maintaine$ to ensure tat

Page 5







!lanning

frame1or"

all plans are consistent an$ i$entify priorities for

testing an$ maintenance.

eter business continuity plan a$$resses tei$entifie$ information security re#uirement.

3>.3.5 34.3.53esting)

maintaining

and re6

assessing-usiness

continuity

!lans

eter &usiness continuity plans are teste$ regularlyto ensure tat tey are up to $ate an$ effecti%e.

eter business continuity plan tests ensure tat allmembers of te reco%ery team an$ oter rele%ant staff

are a)are of te plans an$ teir responsibility for business continuity an$ information security an$ 'no)teir role )en plan is e%o'e$.

Compliance33.3 35.3

'ompliance %ith legal requirements

33.3.3 35.3.3Identification

of a!!lica-le

legislation

eter all rele%ant statutory- regulatory- contractualre#uirements an$ organizational approac to meet te

re#uirements )ere explicitly $efine$ an$ $ocumente$for eac information system an$ organization.

eter specific controls an$ in$i%i$ualresponsibilities to meet tese re#uirements )ere$efine$ an$ $ocumente$.

Page 6







33.3./ 35.3./Intellectual

!ro!erty rights

:IP+;

eter tere are proce$ures to ensure compliance

)it legislati%e- regulatory an$ contractualre#uirements on te use of material in respect of )ic

tere may be intellectual property rigts an$ on te useof proprietary soft)are pro$ucts.

eter te proce$ures are )ell implemente$.

eter controls suc as1 publising intellectual property rigts compliance policy- proce$ures for

ac#uiring soft)are- policy a)areness- maintaining proof of o)nersip- complying )it soft)are termsan$ con$itions are consi$ere$.

33.3. 35.3.Protection of

organizational

records

eter important recor$s of te organization is protecte$ from loss $estruction an$ falsification- inaccor$ance )it statutory- regulatory- contractual an$

business re#uirement.

eter consi$eration is gi%en to possibility of$eterioration of me$ia use$ for storage of recor$s.

eter $ata storage systems )ere cosen so tat

re#uire$ $ata can be retrie%e$ in an acceptabletimeframe an$ format- $epen$ing on re#uirements to

be fulfille$.

33.3.4 35.3.4ata

!rotection and

!rivacy of

eter $ata protection an$ pri%acy is ensure$ as perrele%ant legislation- regulations an$ if applicable as per

te contractual clauses.

Page :







!ersonal

information

33.3.5 35.3.5Prevention of

misuse of

information

!rocessing

facilities

eter use of information processing facilities forany nonbusiness or unautorize$ purpose- )itoutmanagement appro%al is treate$ as improper use of tefacility.

eter a logon a )arning message is presente$ on

te computer screen prior to logon. eter te useras to ac'no)le$ge te )arning an$ reactappropriately to te message on te screen to continue)it te logon process.

eter legal a$%ice is ta'en before implementing anymonitoring proce$ures.

33.3.6 35.3.6+egulation of

cry!togra!hic

controls

eter te cryptograpic controls are use$ incompliance )it all rele%ant agreements- la)s- an$

regulations.

33./ 35./

'ompliance %ith security policies an stanars* an technical compliance

33./.3 35./.3om!liance

1ith security

!olicies and

eter managers ensure tat all security proce$ures)itin teir area of responsibility are carrie$ outcorrectly to acie%e compliance )it security policiesan$ stan$ar$s.

Page ;







standardsDo managers regularly re%ie) te compliance of

information processing facility )itin teir area ofresponsibility for compliance )it appropriate security

policy an$ proce$ure

33././ 35././3echnical

com!liance

chec"ing

eter information systems are regularly cec'e$ for

compliance )it security implementation stan$ar$s.

eter te tecnical compliance cec' is carrie$ out by- or un$er te super%ision of- competent- autorize$

personnel.33. 35.

Information Systems auit consierations

33..3 35..3Information

systems audit

controls

eter au$it re#uirements an$ acti%ities in%ol%ingcec's on operational systems soul$ be carefully

planne$ an$ agree$ to minimise te ris' of $isruptionsto business process.

eter te au$it re#uirements- scope are agree$ )itappropriate management.

33../ 35../ Protection of

information

system audit

tools

eter access to information system au$it tools sucas soft)are or $ata files are protecte$ to pre%ent any possible misuse or compromise.

eter information system au$it tools are separate$from $e%elopment an$ operational systems- unlessgi%en an appropriate le%el of a$$itional protection.

Page =




Page 4>

Documents

IT Audit Checklist