ISACA - San Francisco Chapter: Generic Audit Program

[resources/includetop.htm]

Generic Security Audit Program

Logical Security Generic Audit Work Program Non-Platform Specific The information on this page was contributed by Lance M. Turcato, CPA, CISA. This page includes a comprehensive work program for evaluating information system logical security. This work program is non-platform specific and considers the primary elements of an information security architecture. This work program may be tailored to any platform / operating system. To download the complete work program with all detailed program steps: This program is in PDF format. If you don't have Adobe Acrobat Reader to view the PDF file, download your free copy now: An outline of the major control objectives and audit areas covered by the complete work program is presented below:
A		SYSTEMS UNDERSTANDING
A	1.0	Organization Objective: To ensure that the audit team has a clear understanding of the delineation of responsibilities for system administration and maintenance.
A	2.0	Hardware Platforms Objective: To ensure that the audit team has a clear understanding of the hardware platforms subject to review and to obtain the necessary information for identifying critical systems throughout the processing environment.
A	3.0	Operating System Objective: To ensure that the audit team has a clear understanding of the operating system included in the scope of the review. Furthermore, to ensure that known vulnerabilities associated with specific operating system versions are considered during the audit to ensure that all exposures are identified.
A	4.0	Network Overview Objective: To ensure that the audit team has a clear understanding of network components and interfaces which may impact the logical security of specific servers and workstations.
B		SECURITY MANAGEMENT
B	1.0	Roles & Responsibilities Objective: To ensure that roles and responsibilities for security management have been clearly and appropriately defined.
B	2.0	Corporate Security Policies & Standards Objective: To ensure that existing corporate security policies and standards have been communicated. Furthermore, to ensure that existing policies and standards are applicable throughout the processing environment and that all systems are in compliance with appropriate policies and standards.
B	3.0	Security Awareness & Training Objective: To ensure that end-users are aware of appropriate corporate security policies and standards and are informed of their individual responsibilities relative to ensuring a secure processing environment.
C		SECURITY ADMINISTRATION
C	1.0	Roles & Responsibilities Objective: To ensure that roles and responsibilities for security administration have been clearly and appropriately defined.
C	2.0	Staffing Objective: To ensure that appropriate processes are in place to ensure that individuals with security administration responsibilities are qualified to complete defined security administration tasks.
C	3.0	Security Administration Procedures Objective: To ensure that security administration responsibilities and activities have been adequately defined and documented to support the security administration function and to ensure that appropriate documentation is available to facilitate training processes for new administrators.
D		SYSTEM CONFIGURATION
D	1.0	Servers Objective: To ensure that adequate controls are in place over the installation and configuration of server hardware.
D	2.0	Operating System Configuration - Policies & Standards Objective: To ensure that operating system installations and upgrades are configured in compliance with appropriate security and configuration policies and standards.
D	3.0	Operating System Configuration - Configuration Process Objective: To ensure that adequate controls are in place over the configuration of operating system installations and upgrades.
D	4.0	Operating System Configuration - System Security Parameters Objective: To ensure that existing operating system security parameters are configured to secure settings and are in compliance with best practices and relevant corporate policies and standards.
D	5.0	System Utilities Objective: To ensure that adequate controls are in place over the use of sensitive system utilities.
D	6.0	Security System Configuration - Policies & Standards Objective: To ensure that third-party security system installations and upgrades are configured in compliance with appropriate security and configuration policies and standards.
D	7.0	Security System Configuration - Configuration Process Objective: To ensure that adequate controls are in place over the configuration of third-party security system installations and upgrades.
D	8.0	Security System Configuration - System Security Parameters Objective: To ensure that existing parameters for third-party security systems are configured to secure settings and are in compliance with best practices and relevant corporate policies and standards.
E		ACCESS CONTROLS
E	1.0	Account Management Objective: To ensure that appropriate controls are in place over the system level account management process.
E	2.0	Password Management Objective: To ensure that the system has been configured to facilitate the use of secure passwords to prevent unauthorized access to critical applications, data and system resources.
E	3.0	User Profile Configurations Objective: To ensure that adequate controls are in place over the configuration of user profiles to ensure that user access rights are commensurate with users’ job responsibilities.
E	4.0	Group Profile Configurations Objective: To ensure that adequate controls are in place over the configuration of group profiles to ensure that access rights for users assigned to the group profiles are commensurate with users’ job responsibilities.
E	5.0	Privileged Accounts Objective: To ensure that adequate controls are in place over the authorization, ownership, and use of sensitive super-user accounts.
E	6.0	Special User Accounts Objective: To ensure that appropriate controls are in place over the authorization, ownership, and use of unique special user accounts.
E	7.0	Logon / Logoff Processes Objective: To ensure that appropriate controls are in place over the logon and logoff processes.
E	8.0	Generic / Shared Accounts Objective: To ensure that the use of generic and shared accounts is limited and justified by business need and to ensure that appropriate controls are in place over the use of these accounts.
E	9.0	Remote Access Objective: To ensure that appropriate controls are in place to control access to the Company's internal network and systems from a remote system.
E	10.0	System Boot Process Objective: To ensure that appropriate controls are in place to ensure that only authorized security settings and system services are initiated during the system boot / IPL process.
F		FILE & DIRECTORY PROTECTION
F	1.0	System Directories & Files Objective: To ensure that system level security has been configured to appropriately protect critical system directories and files.
F	2.0	Application Directories & Files Objective: To ensure that system level security has been configured to appropriately protect critical application directories and files.
F	3.0	Production Data Directories & Files Objective: To ensure that system level security has been configured to appropriately protect critical production data directories and files.
G		REPORTING & AUDITING
G	1.0	Logging Objective: To ensure that appropriate security events are logged to provide security administration personnel with the ability to appropriately monitor system security.
G	2.0	Reporting Objective: To ensure that appropriate reports are produced to summarize data recorded in audit logs so that security events may be efficiently monitored on a timely basis.
G	3.0	Monitoring Objective: To ensure that appropriate processes and procedures are in place to monitor security reports in order to detect security violations and unauthorized changes to system security configurations in a timely manner.
Copyright � 1999 - 2002. Lance M. Turcato, CPA, CISA. All Rights Reserved.

Logical Security

Generic Audit Work Program

Non-Platform Specific