Scribd
Upload
306 views2 pages

Comprehensive IT Audit Checklist

This document contains an IT audit checklist that lists controls across various IT security categories including application access controls, network access controls, physical security controls, anti-malware controls, vulnerability management controls, software development controls, and more. The checklist contains over 50 specific controls that can be checked off to audit an organization's IT security posture and compliance.

Uploaded by

Brenda Amelia Panggabean
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
306 views2 pages

Comprehensive IT Audit Checklist

This document contains an IT audit checklist that lists controls across various IT security categories including application access controls, network access controls, physical security controls, anti-malware controls, vulnerability management controls, software development controls, and more. The checklist contains over 50 specific controls that can be checked off to audit an organization's IT security posture and compliance.

Uploaded by

Brenda Amelia Panggabean
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

I T AU D I T C H EC K L I S T

Application Access Controls Network Access Controls

☐☐ User accounts provisioned ☐☐ Firewall for remote access


☐☐ Access levels modifiable, user privileges limited ☐☐ IDS for remote access
to job function ☐☐ IPS for remote access
☐☐ Periodical access reviews scheduled ☐☐ VPN for remote access
☐☐ Password complexity requirement ☐☐ MFA for remote access
☐☐ Admin activity monitored

Physical Security Controls


Database Access Controls
☐☐ Physical perimeter protections

☐☐ Database admin accounts controlled ☐☐ Locks

☐☐ Admin activity monitored ☐☐ Badge access

☐☐ Application access to database restricted ☐☐ Battery backup up


☐☐ Generators
☐☐ HVAC

Operating System Access Controls

☐☐ System installation checklists or images used


Anti Malware Controls
☐☐ Security and event logs enabled
☐☐ Anti-virus software
☐☐ Unnecessary services turned off
☐☐ Gateway filtering
☐☐ Browser protections

Virtual Access Controls


Vulnerability Management Controls
☐☐ Access to hypervisors restricted
☐☐ Access levels modifiable
☐☐ Scanning and remediation for vulnerabilities
☐☐ Periodical access reviews
☐☐ Patch management program
☐☐ Password complexity requirement
☐☐ Secure configuration guide applied to
hypervisors and SANs
☐☐ Access to services running on host restricted

[Link] | 1
I T AU D I T C H EC K L I S T

Software Development Controls User Awareness Controls

☐☐ Software development lifecycle established ☐☐ Users trained on security


☐☐ Secure coding and web app firewall/security ☐☐ Background checks for new employees
testing ☐☐ Duties separated and documented
☐☐ Security logs collected and reviewed

Change Management Controls


Data Protection Controls
☐☐ Process for change management instated
☐☐ Inventory of IT assets ☐☐ Encryption in transit and at rest
☐☐ Data classification
☐☐ Usb restrictions in place
Disaster Recovery Controls ☐☐ Removal of data from storage media

☐☐ Backups for systems and data


☐☐ Disaster recovery plan established and Asset Management Controls
regularly tested
☐☐ Business impact analysis plan established and ☐☐ Hardware and software inventoried
regularly tested ☐☐ Installation of unauthorized software, utility
and audit tools prohibited
☐☐ System capacity and performance monitored
Vendor Management Controls

☐☐ Security clauses included in contracts Security Program Controls


☐☐ SLA’s are monitored
☐☐ Vendor incident notifications sent to ☐☐ Risk assessments regularly performed
subservice organizations regularly
☐☐ Risks mitigated to acceptable levels
☐☐ Information security policies approved and in place
Incident Management Controls ☐☐ Periodical independent audits performed

☐☐ Incident response plan instated and regularly


tested
☐☐ Customers notified following vendor incidents

[Link] | 2

You might also like