Audit Objectives

brokenroomΔίκτυα και Επικοινωνίες

21 Νοε 2013 (πριν από 3 χρόνια και 4 μήνες)

139 εμφανίσεις


www.isaca.org/auditprograms

1


Information Systems Audit and Control
Association

www.isaca.org


e
-
Commerce Security

Securing the Network Perimeter


AUDIT PROGRAMS

&

INTERNAL CONTROL QUESTIONNAIRES


Information Systems Audit and Control Association



With more than 28,000 members in more than 100 countries, the Information Systems Audit a
nd Control Association
®
(ISACA
®
) (
www.isaca.org
) is a recognized worldwide leader in IT governance, control, security and assurance.
Founded in 1969, ISACA sponsors international conferences, publishes the
Information Systems Control Journal
™,
develops int
ernational information systems auditing and control standards, and administers the globally respected
Certified Information Systems Auditor™ (CISA
®
) designation earned by more than 34,000 professionals since
inception, and Certified Information Security Ma
nager (CISM™) designation, a groundbreaking credential earned by
5,000 professionals in its first two years.


IT Governance Institute
®

The IT Governance Institute™ (
www.itgi.org
) was established in 1998 to advance inte
rnational thinking and standards
in directing and controlling an enterprise’s information technology. Effective IT governance helps ensure that IT
supports business goals, optimizes business investment in IT, and appropriately manages IT
-
related risks and
opportunities. The IT Governance Institute offers symposia, original research and case studies to assist enterprise
leaders and boards of directors in their IT governance responsibilities.


Purpose of Audit Programs and Internal Control Questionnaires

One
of ISACA’s goals is to ensure that educational products support member and industry information needs.
Responding to member requests for useful audit programs, ISACA’s Education Board has released audit programs and
internal control questionnaires, for mem
ber use through K
-
NET. These products are developed from ITGI publications,
or provided by practitioners in the field.


Control Objectives for Information and related Technology

Control Objectives for Informati
o
n and r
elated Technology

(C
OBI
T
®
) has been developed as a generally applicable
and accepted standard for good information technology (IT) security and control practices that provides a reference
framework for management, users, and IS audit, control and s
ecurity practitioners. The audit programs included in
-
KNET have been referenced to key C
OBI
T control objectives.


Disclaimer

ITGI, ISACA and the author of this document have designed the publication primarily as an educational resource for
control profes
sionals
.
ISACA makes no claim that use of this product will assure a successful outcome. The publication
should not be considered inclusive of any proper procedures and tests or exclusive of other procedures and tests that are
re
a
sonably directed to obtain
ing the same results. In determining the propriety of any sp
e
cific proc
e
dure or test, the
controls professional should apply his/her own professional judgment to the specific control circumstances presented
by the particular systems or i
n
formation technolo
gy enviro
n
ment. Users are cautioned
not

to consider these audit
programs and internal control questionnaires to be all
-
inclusive or applicable to all organizations. They should be used
as a starting point to build upon based on an organization’s constraint
s, policies, practices and operational environment.


www.isaca.org/auditprograms

2



October 2002


Perimeter Security Audit Program: Risks and
Strategy
Planning


Introduction


The purpose of establishing perimeter security for networks is to enable organizations to
manage the risks ass
ociated with connecting proprietary enterprise networks to one or
more external entities via private or public networks. With the deliberate and complex
integration of networks among organizations, simple barriers are no longer appropriate or
adequate solu
tions to network security. Network perimeter security is an organization’s
first and most important layer of defense. A key concept of security is depth

multiple
layers of defense that have to be circumvented to gain access to internal information
assets a
nd resources.


This audit program is to be used in conjunction with the following audit program for risks
and strategy
implementation
.
Note: no “off the shelf” audit program should be used
without defining each organization’s constraints, policies and pra
ctices.


This program has been developed and reviewed with regard to C
OBI
T 3
rd

Edition.



Audit Objectives


C
OBI
T DS5 High
-
level Control Objective


Control over the IT process of

ensuring systems security



that satisfies the business requirement

to safeg
uard information against
unauthorized use, disclosure, modification, damage or loss


is enabled by

logical access controls, which ensure that access to systems,
data and programs is restricted to authorized users


and takes into consideration
:



Confidenti
ality and privacy requirements



Authorization, authentication and access control



User identification and authorization profiles



Need
-
to
-
have and need
-
to
-
know



Cryptographic key management



Incident handling, reporting and follow
-
up



Virus prevention and detect
ion


www.isaca.org/auditprograms

3



Firewalls



Centralized security administration



User training



Tools for monitoring compliance, intrusion testing and reporting


Audit Objectives and Procedures



Purpose and Scope



The purpose of this audit program is to provide the auditor with a metho
dology for
evaluating the planning of the perimeter security architecture discussed in this
publication. It will examine the typical pitfalls, traps, issues and dos and don’ts that affect
the quality of an organization’s first, and arguably most important,

layer of defense

perimeter security. This audit program includes an evaluation of basic perimeter security
plan concepts and issues that will need to be concerned when planning perimeter security
architectures. The review procedures included in this audit

program will help ensure that
the appropriate items have been considered in the design of an effective perimeter
security scheme.


Audit Step

Completed

By Date

Test Results,
Remarks,

W/P Ref.

Auto

Tool

C
OBI
T

Reference

I. Preparatory Steps

1. Obtain and

review the current
organization chart for the system and
network administration areas.





PO4.4


2. Identify the key network
administration staff and the key
network user stakeholders.





PO4.4

PO7

3. Obtain a copy of the latest network
security risk
analysis including any
information on system, data and
service classifications.





PO9

DS11

DS1

4. Obtain and review a copy of the
organization’s:



Security policy



Security strategy or strategies



Security procedures and
standards



Network inventory or sche
matic
of physical network components



Network problem tracking,
resolution and escalation
procedures



Security violation reports and
management review procedures



List of vendors and customers
with access to the network



Copies of contracts with service




DS5.1

PO6

PO8

AI4

DS1

DS11


www.isaca.org/auditprograms

4

Audit Step

Completed

By Date

Test Results,
Remarks,

W/P Ref.

Auto

Tool

C
OBI
T

Reference

provid
ers for data transmission



Copies of signed user security
and awareness documents



New employee training
materials relating to security



Relevant legal and regulatory
information related to security
and information access


5. I
nterview the senior security officer
and the IT security administrator.





PO7

II. Planning: Design Concepts

A. Security risk analysis

1. Determine that a methodical security
risk analysis has been completed and
documented.





PO9

2. Obtain and revi
ew a copy of the risk
analysis and determine if it includes a
detailed list of all information assets,
such as servers and workstations,
software and data, and services
running on the platforms connected to
the network that need protection.





PO9

PO5

3
. Determine if an owner has been
identified for each information asset
and that a value has been assigned to
each asset (high, medium, low) that
represents the cost to the organization
should the asset be compromised.





PO4.7,
4.8

DS6

4. Compare the ri
sk analysis with the
network inventory or schematic of the
network to determine that all of the
physical access points to the
information assets have been
identified and that the analysis is
complete.





PO9

DS5

B. Security policy

1. Determine that a s
ecurity policy has
been developed and documented.





PO6.8

DS5

2. Obtain and review a copy of the
security policy and determine if it
conforms to relevant standards such
as ISO/IEC 17799.





PO8

3. Determine if the security policy sets a
clear policy d
irection, and includes
support and commitment by
management for information security




PO6.8

DS5.1


www.isaca.org/auditprograms

5

Audit Step

Completed

By Date

Test Results,
Remarks,

W/P Ref.

Auto

Tool

C
OBI
T

Reference

across the organization. The policy
should contain:



A definition of information
security, its overall objectives and
scope



A statement of management
intent, supporting the

goals and
principals of information security



A brief explanation of the security
policies, principals, standards and
compliance requirements that are
of particular importance to the
organization



A definition of general and
specific responsibilities for
in
formation security management,
including monitoring and
reporting



References to documentation
which may support the policy,
e.g., detailed security policies and
procedures

4. Determine that a security strategy, or
strategies, has been deve
loped and
documented that is based on the
security policy. The strategy or
strategies should specify the types of
controls, such as demilitarized zones
(DMZ), or trust zones, hardened
operating systems, least privilege, and
separation of duties that should

be
implemented.





DS5.1

5. Confirm that each strategy is
supported by documented detailed
security procedures and standards.
These procedures and standards
should be application and operating
system
-
specific. Review the
procedures and standards and
det
ermine if they are detailed enough
to enable a knowledgeable user to
perform the procedure or configure
the system or application.





AI4

DS9

C. Trust zones

1. Review the network inventory or
schematic of the network, and verify
with knowledgeable IT n
etwork




DS3

PO7

PO9


www.isaca.org/auditprograms

6

Audit Step

Completed

By Date

Test Results,
Remarks,

W/P Ref.

Auto

Tool

C
OBI
T

Reference

personnel that all of the physical
access points to the information assets
have been identified.

DS5

2. Verify that all connections to the
network have been classified as
trusted, based on the level of control
required by the securi
ty policy. Four
potential classifications for
interconnected systems are:



Trusted

Represents systems that
are under direct control of the
organization



Semitrusted

Requires
authenticated access to protect
exposed systems not accessible by
the public



Untrust
ed

Requires
authenticated access to specific
information resources on exposed
publicly accessible systems



Hostile

Very restricted access
only to the required systems.
Unauthorized access attempts are
expected





DS5.16

DS9

PO8

3. Verify that for each of
the
connections documented previously
the protocols used to connect have
been identified for both inward and
outward services, HTTP, FTP,
TELNET, etc.





DS9

4. Review the DMZ architecture in place
and determine if it appears
appropriate given the trust

classifications and protocols
associated with the connections to the
network services.





DS5.20

5. Verify that the organization’s internal
network is on its own network
segment and that services (e
-
mail,
web, FTP, etc.) accessed from outside
connectio
ns are classified into
appropriate trust zones and partitioned
or segmented appropriately.





DS5.16

DS9

D. Hardened systems

1.Harden the core operating system.
Because operating systems normally
are not secure out of the box, it is




DS9

DS12

DS5


www.isaca.org/auditprograms

7

Audit Step

Completed

By Date

Test Results,
Remarks,

W/P Ref.

Auto

Tool

C
OBI
T

Reference

necessary to make
specific
modifications. Determine if the
following well
-
known procedures
have been implemented:



Check for elimination of all
services not specifically required
on each server



Ensure installation of all current
patches to the operating system
and applicatio
ns



Reframe, whenever possible, from
using unencrypted protocols



Scan for viruses on external mail
servers prior to allowing e
-
mail
files into an organization’s
network



Rename administrator accounts to
names that do not identify the
accounts as administrat
ors



Change all default passwords



Disable all guest accounts



Do not allow anonymous FTP



Tightly restrict access to system
logs



Increase the size of log files to
ensure at least seven days worth
of information



Review and restrict default file,
directory and

other permissions to
information resources



Display warning messages when
users gain access to restricted
areas

2. Review the access role and category
schemes to determine if the access
privileges granted users are restrictive
enough to l
imit risks from malicious
users. The concept of least privilege
states that each subject should be
granted the most restrictive set of
privileges needed for the performance
of authorized tasks.





DS5.4

DS5

DS9

3. Review the overall perimeter security
s
trategy and verify that no one
individual is allowed access to all the
components of an organization’s
network security structure. See




PO4.10

DS5


www.isaca.org/auditprograms

8

Audit Step

Completed

By Date

Test Results,
Remarks,

W/P Ref.

Auto

Tool

C
OBI
T

Reference

separation of duties.



www.isaca.org/auditprograms

9

Perimeter Security Audit Program: Risks and Strategy
Implementation


Introduction


The purpose of establishing perimeter security for networks is to enable organizations to
manage the risks associated with connecting proprietary enterprise networks to one or
more external entities via private or public networks. With the deliberate and

complex
integration of networks among organizations, simple barriers are no longer appropriate or
adequate solutions to network security. Network perimeter security is an organization’s
first and most important layer of defense. A key concept of security
is depth

multiple
layers of defense that have to be circumvented to gain access to internal information
assets and resources.


This audit program is to be used in conjunction with the previous audit program for risks
and strategy
planning
.
Note: no “off t
he shelf” audit program should be used without
defining your own organizational constraints, policies and practices.


This program has been developed and reviewed with regards to C
OBI
T 3
rd

Edition.


Audit Objectives


C
OBI
T DS 5 High
-
level Control Objectiv
e


Control over the IT process of

ensuring systems security



that satisfies the business requirement

to safeguard information against
unauthorized use, disclosure, modification, damage or loss


is enabled by

logical access controls, which ensure that acc
ess to systems,
data and programs is restricted to authorized users


and takes into consideration
:



Confidentiality and privacy requirements



Authorization, authentication and access control



User identification and authorization profiles



Need
-
to
-
have and ne
ed
-
to
-
know



Cryptographic key management



Incident handling, reporting and follow
-
up



Virus prevention and detection



Firewalls



Centralized security administration



User training



Tools for monitoring compliance, intrusion testing and
reporting


www.isaca.org/auditprograms

10


Audit Objectives

and Procedures





Purpose and Scope




The purpose of this audit program is to provide the auditor with a methodology for
evaluating the implementation of the perimeter security architecture discussed in this
publication. It examines the key components a
nd issues that need to be considered when
a perimeter security architecture is installed. The review procedures included in this audit
program will help ensure that the appropriate items have been implemented for an
effective perimeter security scheme.



A
udit Step

Completed

By Date

Test Results,
Remarks,

W/P Ref.

AutoTool

C
OBI
T

Reference

I. Preparatory Steps

1. Obtain and review the current
organization chart for the system and
network administration areas.





PO4.4

2. Identify the key network administ
ration
staff and the key network user
stakeholders.





PO4.4

PO7

3. Obtain a copy of the latest network
security risk analysis including any
information on system, data and service
classifications.





PO9

DS11

DS1


www.isaca.org/auditprograms

11

A
udit Step

Completed

By Date

Test Results,
Remarks,

W/P Ref.

AutoTool

C
OBI
T

Reference

4. Obtain and review a copy of the
org
anization’s:



Security policy



Security strategy or strategies



Security procedures and standards



Network inventory or schematic of
physical network components



Network problem tracking,
resolution and escalation procedures



Security violation reports and
manag
ement review procedures



List of vendors and customers with
access to the network



Copies of contracts with service
providers for data transmission



Copies of signed user security and
awareness documents



New employee training materials
relating to security



Re
levant legal and regulatory
information related to security and
information access





DS5.1

PO6.8

PO8

AI4

DS4

DS11

5. Interview the senior security officer and
the IT security administrator.





PO7

II. Implementation: Components

A. Routers

1. Review

the network schematic, and
verify that routers are installed between
network segments of differing trust
levels.





DS5.16

DS9

2. Verify with the network administrator
that all unnecessary services and
protocols have been removed from all
external route
rs.





DS9.4

DS12

3. Determine, where possible, if encrypted
passwords have been removed from
router configuration files.





DS9.4

DS5

4. Determine if all unnecessary access
points to routers have been removed to
reduce access to the services by which
a
router can be managed. Limit IP
addresses from which network
administrators can connect to routers,
and do not leave modems connected to
router auxiliary ports.





DS5.3

DS9


www.isaca.org/auditprograms

12

A
udit Step

Completed

By Date

Test Results,
Remarks,

W/P Ref.

AutoTool

C
OBI
T

Reference

5. Review and determine to what extent
external routers are providing course
f
iltering capabilities that can be applied
to the entire network to reduce granular
filtering by firewalls. Determine if
external routers are filtering the
following incoming traffic to deny:



Traffic with a source address that is
internal to the network, wi
thin the
range of invalid or private addresses
or the loopback address of 127.0.0.1



Traffic critical to hosts, such as
firewalls or firewall management
console



Traffic with IP options set such as
source routing



Traffic destined for the broadcast
address of

a subnet



All incoming and outgoing ICMP
traffic



All outgoing traffic except that with
a source address internal to the
network





DS5.20

DS9

6. Confirm that external routers are not
being used as granular filters and that
stateful or dynamic filtering i
s being
implemented by the firewall in
accordance with the firewall policy.





DS5.20

DS9

PO6

B. Switches

1. Review the placement and use of
switches in the network schematic.
Where there are switches that have the
capability to be managed and/or
monit
ored remotely, ensure that the
network administrator has taken steps to
limit access to these devices and protect
passwords.





DS5.3

DS9

C. Firewalls

1. Determine through discussions with
application, system and network
administrators if there is a co
mplete,
documented understanding of what must
be permitted into and out of the
organizations network.





DS5.20

AI4


www.isaca.org/auditprograms

13

A
udit Step

Completed

By Date

Test Results,
Remarks,

W/P Ref.

AutoTool

C
OBI
T

Reference

2. Discuss with the network administrator
the reasoning behind the architecture and
type of firewall installed, and determine
if the choic
e was made based on an
objective evaluation of the needs and
requirements of the organization.





DS5.20

DS9

D. Firewall configuration

1. Review the firewall ruleset to determine
if the default
-
deny principal by which all
traffic is denied except that

which is
explicitly required has been appropriately
implemented into the firewall rules.





DS5.20

DS9

2. Examine the firewall default implicit
ruleset that usually is shipped with a
firewall to ensure it is not circumventing
the implicit firewall rules






DS5.20

DS9

3. Review the termination of VPNs. VPNs
that connect any networks other than
trusted, should not be permitted through
a firewall without some form of filtering
at the VPNs termination. Encrypted VPN
traffic precludes any inspection proces
s
by a firewall.





DS5.20

DS9

DS12

E. Remote access

Virtual private networks (VPN)

1. Because the most common way for a
client to connect to an organization’s
network is via a VPN utilizing a local
ISP via the Internet, review clients
connected in thi
s way to ensure that their
operating systems have been effectively
hardened by removing unnecessary
services that could be exploited.





DS9.2, 9.4,
9.7

2. Evaluate whether encryption is being
utilized to minimize the exposure of
unauthorized access to

confidential files
stored on clients connected to an
organization’s network via a VPN.





DS11.17

DS5

F. Remote access

Dial
-
up

1. Review and determine if servers
connected to dial
-
up remote access
capabilities are implementing strong
authentication c
ontrols. These controls
should include requirements for
minimum length passwords of mixed
characters that are changed frequently.





DS5.2

DS5.3

DS9


www.isaca.org/auditprograms

14

A
udit Step

Completed

By Date

Test Results,
Remarks,

W/P Ref.

AutoTool

C
OBI
T

Reference

2. Review and confirm that end users are
restricted from connecting modems to
their desktop machines unle
ss
specifically authorized to do so.





DS5.3

3. Review and determine whether the
following dial
-
up countermeasures have
been implemented to reduce the risk of
unauthorized access to network
resources:



Granting access is only to specific
users



Using dial
-
up server features to
restrict users to specific devices and
applications



Utilizing call
-
back modems



Restricting remote access times when
possible



Using separate dial
-
up username and
passwords from those used for
accessing the network



Regularly monitori
ng all remote
access traffic



Utilizing tokens, smart cards, and
biometric or digital certificates, when
practical, to strengthen authentication



Using encrypted authentication
methods, such as password
authentication protocol (PAP),
challenge handshake auth
entication
protocol (CHAP), or Shiva password
authentication protocol (SPAP)





DS5.3

DS9

G. Wireless networking

1. Verify that wired equivalent privacy
(WEP) features are enabled and that the
maximum key size allowable is being
used.





DS11.17

DS12

2. Confirm that factory defaults for
administrator user ID, password, WEP
key and SSID have been changed.





DS5.9

3. Confirm that the wireless network has not
been placed on the internal side or trusted
side of an organization’s perimeter
firewall





DS5.20

4. Confirm that perimeter firewalls only
allow traffic from a wireless network that
uses Internet protocol security (IPSEC)





DS5.20


www.isaca.org/auditprograms

15

A
udit Step

Completed

By Date

Test Results,
Remarks,

W/P Ref.

AutoTool

C
OBI
T

Reference

5. Determine if separate keys have been
assigned to each wireless device and are
changed frequently





DS9

H
. Intrusion detection

1. Review and confirm that host
-
based and
network
-
based intrusion detection
schemes are in place.





DS5.7

2. Ensure that network
-
based intrusion
detection schemes address the following
conceptual elements:



Event module

The sensor



Analysis module

The traffic analyzer



Response module

Generates the
configured response to a detected
attack



Database module

Records traffic
history





DS5.7

DS9

3. Obtain and review the documented
incident response procedures to
determine if a knowledg
eable individual
will be able to understand and implement
the appropriate response.





DS5.11

AI4

I. Network security assessments

1. Determine that a systematic approach has
been developed and documented for
conducting penetrations tests.





M1

2. Co
nfirm that specific requirements have
been developed and documented for the
penetration tests that are conducted.





M1

M2

3. Confirm that test metrics have been
developed so that the results of
penetration tests can be quantified and
measured.





DS3

M2

4. Ensure that the results of penetration tests
are communicated adequately to the
technical staff and management.





M1

PO6



www.isaca.org/auditprograms

16

Internal Control Questionnaire


Page ____ of ____

Perimeter Security/Planning

Completed By:



Date: /

Question
N
o.

Question Description

Response


C
OBI
T

Reference

Yes

No

N/A


Planning: Design Concepts


Does the organization have a Security policy?




PO6.8


Does the security policy conform to relevant standards
such as ISO/IEC 17799?




PO3.5

DS7.3

PO8


Does

the security policy provide for multiple layers of
defense against unauthorized access to information
resources?




DS5.2




Has a comprehensive risk assessment been conducted
to identify all potential network vulnerabilities?




PO9


Is there a docume
nted security strategy that supports
the business needs of the organization and complies
with the security policy?




DS5.1

PO6


Does the security strategy, or strategies, specify the
types of controls that should be implemented?




PO6


Are there docum
ented security procedures and
standards in sufficient detail to implement the security
strategies?




PO2.4

AI4


Have all connections to the organization’s network
been identified and classified as to their trust level?




DS5.16

DS9



Have all the neces
sary protocols used to connect to
the organization’s network (both in and out) been
identified?




DS9

DS11.27



Have services and connections been segregated in
DMZs based on the defined trust categories? Is the
BIA current?




DS5.20

DS9



Have all unn
ecessary services on server operating
systems been removed?




DS9.7


Have all current patches to operating system and
application software been installed?




AI3.5



Has the use of unencrypted protocols been
minimized?




DS5.2


Are virus scans being
performed on external servers
prior to allowing files into the organization’s
network?




DS5.19


Have administrator accounts been renamed from their
defaults to make it difficult to identify them?




DS5.4


Have all default passwords been changed?




DS
5.2


Have all guest accounts been disabled?




DS9.4

DS5


www.isaca.org/auditprograms

17

Question
N
o.

Question Description

Response


C
OBI
T

Reference

Yes

No

N/A


Have anonymous FTP services been removed or
disabled?




DS9.4



Has remote access to system logs been tightly
restricted?




DS5.6


Have file, directory and other permissions been
reviewed care
fully and adjusted according to
criticality of the information they protect?




DS5.2


Are warning messages displayed when accessing
system resources?




DS5.9


Has the concept of least privilege been used in
establishing access rights and privileges for

users?




DS5.2


Have system administrative accounts been segregated
adequately?




DS9.4



www.isaca.org/auditprograms

18

Internal Control Questionnaire




Page ____ of ____

Perimeter Security/Implementation


Completed By:


Date: /

Question
No
.



Question Description


Response


C
OBI
T

Reference

YES

NO

N/A


Implementation: Components


Routers


Is the primary responsibility of external routers that of
routing traffic and not enforcing traffic filtering?




DS5.20

DS9


Are r
outers interposed between networks of differing
trust levels to provide connectivity?




DS5.20

DS9


Have common router services which are unnecessary
been removed?




DS9.4


Have encrypted password files been removed from the
router configuration files?




DS5.21


Have management connections to routers been limited
to specific IP addresses?




DS5.16

DS9


Have external routers been configured to enforce filters
that can be applied to the entire network, thus denying
types of traffic that do not require

granular rules?




DS9

DS5


Switches


If the switches being used have the ability of being
managed and/or monitored remotely:



Have steps been taken to protect access passwords?



Have limits been placed on from where the switches
can be accessed on the n
etwork?



Have unnecessary services been removed?





DS5.3

DS9


Firewalls


Is there documentation on what must be permitted into
and out of the network for all services and applications?




DS5.20


Is the gateway architecture documented?




DS5.20

PO2


Has the type of firewall installed been documented
(static packet filters, stateful or dynamic packet filters,
or application proxies)?




DS5.20

DS9


Does the firewall ruleset deny all traffic except that
which is explicitly required (default
-
deny princi
pal)?





DS5.20

DS9


Has an explicit denial rule been defined in the firewalls
ruleset?




DS5.20


Remote access

Virtual private network (VPN)


Is a VPN being used whenever remote users access the
internal network?




DS5.3


Is the VPN topology docume
nted?




DS5.20


www.isaca.org/auditprograms

19

Question
No
.



Question Description


Response


C
OBI
T

Reference

YES

NO

N/A


Have the operating systems of clients connected to the

organization’s network via a VPN had unnecessary
services removed from their configurations?




DS9.4


Is encryption being used to protect confidential files
that reside on clients t
hat are connected through a
VPN?




DS5.18


Remote access

Dial
-
up


Have all modems connected to the organization’s
internal network been documented, reviewed and
approved?




DS5.3

DS9


Where remote PC control software is in use, are strong

authenticat
ion controls in place?




DS5.3


Are strong authentication controls in place for all dial
-
in connections from out side the organization’s network
(separate user ID and password, call back, encrypted
authentication, etc.)?




DS5.2


Wireless


Have the wi
red equivalent privacy (WEP) services of
the IEEE 802.11wireless standard been enabled for
authentication?




DS11.28

DS5.1

PO8


Have factory or vendor defaults for administrator user
ID, password, WEP key and service set identifier been
changed?




DS5.1

DS9


Is the wireless network on the outside of the
organization’s internal network and treated as an
untrusted network?




DS5.1


Have all available security solutions been documented,
considered and installed, if appropriate, to secure access
between m
obile devices and the internal network?




DS5.2

DS5.1


Intrusion detection


Has an intrusion detection system (IDS) been
implemented to identify and isolate intrusions?




DS5.7


If using a host
-
based IDS, are all critical hosts being
monitored?




DS
5.7


Are the rules for the IDS documented as to what events
will activate an alert and what the response to the alert
will be?




DS5.7


Network Security Assessments


Is penetration testing considered a basic integral
function of information security?




DS5.7


Does the organization conduct penetration testing on a
regularly scheduled basis?




DS11.29

M1.1


Have fallback procedures and contingency plans been
developed and documented to minimize any disruption
a test might cause on the operating enviro
nment?




DS4


www.isaca.org/auditprograms

20

Question
No
.



Question Description


Response


C
OBI
T

Reference

YES

NO

N/A


Have the goals and objectives of penetration testing
been documented and approved?




PO10.11

PO6


Are the results of tests properly documented and shared
with the appropriate people who can respond to the
identified weaknesses?




M1.2