Professional Documents
Culture Documents
Page 2 of 296
Auditing Your Information Systems and IT
Infrastructure
By
Nwabueze Ohia
Page 3 of 296
Discover Other Titles by Nwabueze Ohia
1. Auditing your Payment Cards Processes, Systems and Applications: A Step by Step
PCIDSS Compliant Audit Program
2. Auditing Your Windows Infrastructure, Intranet and Internet Security: A Practical Audit
Program for IT Assurance Professionals
Page 4 of 296
Editor: Nwabueze Ohia
Designer: Nwabueze Ohia
This Book is licensed for your personal enjoyment only. This Book may not be re-sold or
given away to other people. If you would like to share this book with another person,
please purchase an additional copy for each recipient. If you’re reading this book and
did not purchase it, or it was not purchased for your use only, then please return to your
favourite Book retailer and purchase your own copy. Thank you for respecting the hard
work of this author.
Permissions may be sought directly from the author on Phone number: +234(0)803 757
4700; email: info@oxleyconsults.com.ng. Alternatively, you may submit your request online
by visiting the Oxley Technologies Inc. website at http://oxleyconsults.com.ng/contact-us/,
and we will get back to you.
Notices
Knowledge and best practices in the field of information and technology security are
constantly evolving. As new risk and vulnerabilities emerge, changes in research methods
and broader experiences are required to contain the threats to system and human
security. It is therefore expedient for professional practices to rise to the challenges and
threats pose by information security risk and vulnerabilities.
Practitioners and researchers in this industry must always rely on strong personal judgment
and experience in evaluating and applying information and methods being acquired
from this book while also exercising professional due care and caution to ensure their
safety and those of others, as well as parties for whom their owe professional responsibility.
To the fullest extent of the law, neither the Publisher nor the author(s), contributors, or
editors, assume any responsibility for any injury and/or damage to persons or property as a
matter of products liability, negligence or otherwise, or from any use or operation of any
methods, procedures, products, instructions, or ideas contained in the material herein.
Page 6 of 296
Booking
For trainings and capacity building sessions, conferences/seminars and public speaking
opportunities as well as consulting engagements on subjects/topics/areas covered in this
book or others books by the author, you can contact Nwabueze Ohia directly on phone
number +234-8037574700 or email address nwabueze.ohia@oxleyconsults.com.ng for
further discussions.
Page 7 of 296
Your feedback is invaluable to us
If you recently bought this book, we would love to hear from you! You can write a review
on amazon (or the online store where you purchased this book) about your last order! If
you bought this book from our website at http://oxleyconsults.com.ng/, we will appreciate
if you leave a review on our website! We will love to hear real client experiences and
feedback as part of our continual service improvement process.
Page 8 of 296
CONTENTS AT A GLANCE
Page 9 of 296
TABLE OF CONTENTS
About the Author
Preface by Nwabueze Ohia
Chapter 11 Audit of Core Banking Applications (Finacle, Flexcube and Phoenix) -173
Audit Program for Core Banking Applications ----------------------------------174
Audit Checklist for Core Banking Applications ----------------------------------175
Policies and Standard Operating Procedure --------------------------175
Segregation of Duties and Maker/Checker Controls ---------------175
Application Controls ------------------------------------------------------------176
Change Management --------------------------------------------------------181
Business Continuity and Disaster Recovery -----------------------------183
Data Backup and Redundancy --------------------------------------------184
Security Administration ---------------------------------------------------------186
User Access Management ----------------------------------------------------189
System Monitoring and Audit Trail ------------------------------------------190
Chapter 12 Audit of Payment Cards (Debit, Credit & Prepaid) Processes, Systems and
Applications – PCI DSS Compliance -------------------------------------------------192
Audit Program for Payment Card Environment ---------------------------------193
Audit Checklist for Payment Card Environment ---------------------------------195
Page 13 of 296
Organization and administration --------------------------------------------195
Application Controls -------------------------------------------------------------196
Database Controls ---------------------------------------------------------------199
Redundancy and data backup --------------------------------------------200
Change Management ---------------------------------------------------------201
Vendor Management -----------------------------------------------------------202
Credit Card Portfolio Management ----------------------------------------203
Encryption Key Management ------------------------------------------------204
Network Controls ------------------------------------------------------------------209
Vulnerability Assessment --------------------------------------------------------212
Operating System Controls ----------------------------------------------------213
Cards Operations, Personalization and Issuance (Debit
and Credit) --------------------------------------------------------------------------215
Page 15 of 296
About the Author
A Certified Information Systems Auditor (CISA), Certified Lead Auditor for ISO 27001
(Information Security Management System), ISO 22301 (Business Continuity Management
System), ISO 20000 (IT Service Management System) and ISO 27032 (Lead Cyber Security
Manager), Nwabueze Ohia is a seasoned information risk assurance and cybersecurity
expert with over 13 years’ industry experience in IT consulting, IT audit, internal
control/audit and information risk assurance. With bulk of his experience in the banking
and financial institution space, Nwabueze have performed roles such as IS/IT Auditor,
Information Security Analyst, IT Forensics/Fraud Investigator, IT Risk Analyst, System Control
Analyst, among others, in the course of his professional life. His core strength/competences
are in Information systems & technical Infrastructure auditing, IT risk assessment, cyber
threat intelligence & analysis, security architecture & engineering (networks and operating
systems), electronic fraud & forensic investigation, software engineering & web
application development, data analytics and revenue assurance, among others.
Given his strong auditing and information risk assurance background, he has developed
series of audit work programs, checklists, risk assessment templates and information
security programs, which professionals have recognized as valuable resources for
information risk and security assurance. This is due to their conformance to
standards/frameworks issued by professional bodies such as institute of Internal Auditors
(IIA), Information Systems & Control Association (ISACA), International Information System
Security Certification Consortium (ISC2), National Institute for Standards & Technology (NIST
Risk Management & Cybersecurity framework) and Center for Internet Security (CIS). His
Books, articles, best practice guides and web content are hands-on (do-it-yourself guide)
and have assisted practitioners within Nigeria, Sub-Sahara Africa and beyond in
addressing information risk and security concerns in the ever changing and dynamic IT
environment. Beyond the financial services sector, practitioners in other sectors such as
insurance, telecommunication, web hosting, Internet service providers, SaaS, cloud
service provider, distribution & supply chain management, shipping, oil & gas, have
leveraged content produced by Nwabueze to excel in their endeavors.
Page 16 of 296
Nwabueze Ohia is a seasoned trainer and public speaker and operate the website
(http://oxleyconsults.com.ng) where all his books and materials are published. He has
published four books to his credit, which are available on Amazon Kindle Book store as
well as other major eBook reading and distribution platforms worldwide. He holds a Higher
National Diploma (HND) in Electrical/Electronics Engineering (Telecommunications) from
Federal Polytechnic Nekede Owerri, a Bachelor of Technology (B. Tech) degree in
Information Management Technology (IMT) and recently completed Master of Science
Degree (MSc) in Information Management Technology (IMT) from Federal University of
Technology Owerri, Imo State.
Nwabueze Ohia is passionate about giving back to the society and the knowledgebase
of his chosen profession, having greatly been enriched by same. He has demonstrated this
passion through several writeups, articles, best practice guides and professional papers
published via his website and other outlets. He finds joy and fulfillment in extending helping
hands to the needy and the downtrodden of our society. His hobbies are traveling round
the world, soccer, tennis and web application development/programming. Born in 1983 to
Nigerian parents from the Eastern part of the country, he is happily married with two
children.
Page 17 of 296
This page intentionally left blank
Page 18 of 296
Preface
By Nwabueze Ohia
Assuring the Security of Your Information Systems and IT Infrastructures (IT Audit and
Internal Audit)
This edition has been updated to cover virtually all areas of information systems and IT
infrastructure. “Auditing Your Information Systems and IT Infrastructure: Practical Audit
Programs/Checklists for Internal Auditors”, serves as a reference handbook for IT Auditors
and other IT assurance professionals on how to use latest IT auditing techniques and
programs to provide assurance on the security of enterprise information systems and IT
infrastructure. New chapters on perimeter network security, database security and
virtualized infrastructure are included. The book describes leading practices in internal
audit and how the internal audit/IT audit function can effectively meet stakeholders’
expectations and add value the business while maintaining its independence. Details on
how to conduct specific audits of IT processes, services, systems or infrastructures were
provided with hands-on checklists and audit test procedures. The following areas of
information systems, processes and IT infrastructures are covered.
Intended for IT Auditors and other Assurance professionals that are desirous of improving
their auditing skills or organizations that are performing risk and control self-assessment
(RCSA) exercise from the ground up.
Page 19 of 296
· Build or improve your auditing and control testing techniques/skills by knowing what
to look out for and how to verify the existence and adequacy of controls.
· Acquire hands-on audit programs/checklists to be used for auditing your core IT
systems and infrastructure, which can easily be applied in your environment.
· Prepare for and pass management system certification audits such as PCI-DSS, ISO
27001, ISO 2230, ISO 20000 and ISO 90001.
· Audit programs/checklists from this book can easily be integrated into standard
audit software such as Teammates or MKInsight as they share similar templates.
· Expand the scope of your audit testing to cover more areas of concerns or risk
exposures.
· Strengthen your organization’s internal audit process and control testing, a benefit
from an expanded risk/vulnerability register.
· Rejuvenate the risk management effective and information security program of
your organization, having an improved perspective of inherent risk/vulnerabilities of
your IT infrastructure as well as a robust and realistic vulnerability/risk register.
· Risk mitigate and treatment plan.
Page 20 of 296
This page intentionally left blank
Page 21 of 296
PART 1
AUDIT OVERVIEW
Chapter 1 The Internal Audit Function
Chapter 2 The Audit Process
Page 22 of 296
CHAPTER – 1 The Internal Audit Function
Page 23 of 296
The Internal Audit Function
The fundamental role of internal audit function is to provide independent assurance on
the effectiveness and adequacy of internal control system, risk management and
governance of an organization. This assurance is provided to the key stakeholders of an
organization, which are the board audit committee (BOA) and executive management.
Internal audit function is required by laws of most countries and regulatory authorities of
most industries to be in place. In practically every business, internal audit function is
required to give feedback to key stakeholders that business objectives will be realized and
internal control system are working as expected. In highly regulated industries such as
financial services (banks, insurance companies, investment and capital firm, credit unions,
payment card firms), oil and gas, telecoms, media, consumer goods and other service
industries, internal audit is a must and a minimum requirement for issuance of operating
licenses.
However, for businesses that wish to ensure good corporate governance and
professionalism as part of its organizational culture, establishing an internal audit function is
a requirement that cannot be waived. Therefore, one of the indices of determining a
healthy and well-run organization is the entrenchment of an independent internal audit
department with clear authority from the highest decision making arm of the organization
(Board of Directors). These are usually what investors look out for in determining where to
invest in a company for safety if its funds and good returns on investment. Experience has
also shown that organizations with good internal control system, risk management culture
and internal audit practice enjoy good patronage from customers and investors alike as
nobody will invest its resources in a business with poor corporate governance and weak
internal controls. As such, investors always look at the financial statement or report of a
company they intend to invest in for independent opinion of auditors on the affairs of the
company.
Page 24 of 296
Effectiveness of the Internal Audit Function
The internal audit function is said to be effective when it provides reasonable assurance to
stakeholders of an organization (Board Audit Committee, Executive Management,
Shareholders or Customers) that management established internal controls (operational
controls, IT controls, market or business controls, risk management, etc.) are working
optimally and meet the needs and expectations of stakeholders. In doing so, the audit
function most use a methodology that sufficiently test these controls and provide
measurable metrics of its adequacy and effectiveness.
1. The internal audit charter and mission: This is where the internal audit function
derives its authority and independence. Has the internal audit function been
effectively empowered by Board Audit Committee (BAC) and Executive
Management to perform its duties and has its independence, objectivity and
reporting lines been clearly established and defined?
2. Applicable laws and regulations: Here laws and regulations guiding the industry or
sector/segment where the organization conducts its business activities must be
identified and complied with throughout the organizations. As such, the
organization/business must establish internal policies, procedures and controls to
ensure strict compliance with applicable laws and regulations within its operating
environment.
3. Audit strategies and plans: The audit function should document/establish strategies
and plans on how it intends to carry out its statutory functions and exercise
mandates given to it by the Board Audit Committee. In doing so, it must put
forward a realistic, effective and risk-based audit strategies and plans on how to
provide that reasonable assurance to BOA and other stakeholders on the
effectiveness and adequacy of internal controls established by management to
ensure realization of business/corporate objectives.
Page 25 of 296
In determining the effectiveness of the internal audit function, below are some of the
metrics identified to help in measuring how effective or otherwise the internal audit
function is and what forms the opinion of key stakeholders in that direction.
Page 26 of 296
internal control systems and risk management as the iterative process of internal audit
contribute to process improvement.
Metric 4: One of the crucial measures of the effectiveness of the audit function is its ability
to plug income leakages, wastages and financial improprieties. As such, management
must be seen to be prudent in the deployment of organization’s resources for its good and
ensure optimization of resources available to it. In doing so, the internal audit function must
ensure that revenue assurance and cost savings/optimization initiatives form part of its
control testing or assessment. While introducing and implemented cost saving initiatives
during audits, it is important that adequate resources are provided to the audit team for
field work activities rather than starve them of funds needed to do the job in the name of
cost containment. This has led to some organization failing to focus attention on critical risk
areas such as governance issues, poor decision making, ineffective risk management and
poor control environment while trying to save cost.
Metrics 5: Staying within audit budget shows efficient management of internal audit
resources, which is good but the audit function should not be afraid to go the Board Audit
Committee or Executive Management to ask for more funds that it requires to meet needs
of emerging risk that were not initially anticipated in the planning stages of its activities. As
such, resource limitation should not be enough excuse for failing to take on and address
risk areas that were not initially anticipated in the planning stages of the audit.
Metrics 6: The internal audit function while conducting its activities should be able to
identify loopholes and vulnerabilities in systems, processes and technologies that have the
potential to be exploited for by internal and external parties to defraud the organization or
perform malicious activities that could harm or damage the reputation of the
organization.
Page 27 of 296
The Mandate
Internal audit play a pivotal role within the organization in ensuring its success and
realization of its business objectives by providing the executive management and the
board audit committee information and objective assurance on internal control system,
risk management and governance. To ensure effectiveness of the internal audit function,
the mandate of the internal audit department must be clearly defined, agreed by
stakeholders and approved by the organization’s Board of Directors.
The Board Audit Committee and Executive Management who are the key stakeholders in
every organization are to ensure that the internal audit function are empowered and
have sufficient authority to effectively discharge its duties. Therefore, the internal audit
function must derive its authority from the board audit committee and management of
the organization. Where sufficient mandate has been given to the internal audit function,
resources required to fulfil the mandate flows naturally. This is not the case where mandate
is incomplete, which will always lead to inadequate resourcing of the function.
The authority of the internal audit function is documented in its internal audit charter. The
internal audit charter stipulates the role of the internal audit function within the
organization, the structure of the department and reporting line through the management
to the Board of Directors who are the highest decision making arm within the organization.
In determining its role, discussions are usually held among members of executive
management and the board audit committee to scope what services should be provided
and priorities of the internal audit function. The roles, responsibilities, authorities and
reporting lines of the internal audit function are defined primarily to support the board
audit committee in discharging its duties. As such, it is best practice to review the board
audit committee charter alongside the internal audit charter on annual basis to ensure
synchronization and relevance.
The mission and scope of work for the department should be defined, accountability of
the Chief Audit Executive (CAE) must be determined while the independence of the
internal audit function must be guaranteed by the management and the board audit
committee. The charter should be clear on who the CAE reports to and responsible for
while a statement about auditor’s open and free access to information across the
organization should be included in the charter to aid the department in the effective
discharge of its duties. The standard of practice adopted by the internal audit department
should be included in the charter to underscore the department’s compliance with best
practice and acceptable framework for internal audit practice. In most cases,
International Standards for the Professional Practice of Internal Auditing, as promulgated
by the Institute of Internal Auditors (IIA) are usually adopted.
Page 28 of 296
Consulting and Pre-Audit Planning Engagements
Consulting and pre-audit engagements with the audit clients by the Audit team is vital to
the successful delivery of the audit. Once the audit area has been determined, the audit
team need to engage the audit client to properly scope the audit and agree on the
requirements. For new audit areas that has not been previously audited, this exercise is
important to enable the audit team understand the business requirements of client, the risk
inherent in the business and operational processes as well as business pain points that is
militating against the achievement of business objectives and deliverables. This also
applies for areas that have been previously auditing by the internal audit department.
1. Information Gathering
2. Risk Assessment
3. Business Pain Points Identification
Information Gathering
Information gathering before the audit is essential in gaining good understanding of the
audit client's business processes, objectives and risks. Request for information during audit
planning phase can come in the form of pre-audit checklist or questionnaire, although
questionnaires are not generally advisable as they are commonly tailored to expected
answer without any value adding or disclosure of vital information to aid audit planning
and execution. The pre-audit checklist can be used in gathering preliminary information
for proper scoping of the audit, identifying key business risks, determining areas requiring
more audit attention and communicating the data requirements of audit team.
Below are some of the information that could be requested by the audit team in
preparation for the audit.
1. Site plan showing buildings, perimeters and layouts.
2. Site guidelines stating any particular trainings and other access requirements.
3. Organization chart (Organograms).
4. Job descriptions for the various job roles available in the site.
5. Applicable laws and regulatory requirements.
6. Standard operating procedures, policies and manuals.
7. Business objectives and plans.
8. Key performance indicators (KPIs).
9. Most recent management review minutes of meetings
10. Training schedule/calendar and tracking sheet.
11. Leave schedule and tracking sheet.
Page 29 of 296
Information gathering may also involve generating certain reports or metrics independent
of the audit clients (i.e. without their knowledge) as doing so lends more credibility to the
accuracy of the information. For example, the audit team can use CAAT (Computer
Assisted Audit Techniques) tools like Audit Command Language (ACL) or IDEA to generate
reports such as access control list, audit trail/log, transaction reports, defined exception
reports, etc. for further analysis. This will give the audit team heads up on the nature of the
control environment and general view of compliance.
There could also be need to schedule a meeting with the audit client representatives to
enable the audit team understand the operating environment.
Risk Assessment
Risk assessment is a systematic technique used in evaluating risk inherent in a process,
system or activity with a view to mitigating their impact. In an organization that have an
entrenched enterprise risk management framework or process, the responsibilities for risk
identification, assessment, treatment, mitigation and monitoring are well defined. As such
it is the duty of the audit team to obtain the risk assessment result of the area to be
audited to gain good understand of the risk inherent in the process areas, which will aid in
the channeling of audit effort and resources. Result of risk identification and assessment
are documented in the risk register of the organization.
Having a prior understanding of the risks inherent in a given audit area, controls
implemented to mitigate them and residual risk in place after control implementation
helps the internal audit function in conducting a risk-based audit. In documenting the risk,
their severity/impact would have been determined in terms of assigning a weighted score
(ranking or rating) to them in line with the risk management framework adopted by the
organization’s risk function if applicable. This will help the audit team in performing risk-
based audit by determining areas to pay more attention to than the others due to their
risk rating.
Internal audit responsibilities are usually made easier where an effective risk function is in
place as all that is required is to obtain risk assessment results of the subject area to be
audit from relevant stakeholders and use same in planning and execution of the audit.
However, the opposite in the case for situations where there is non-existing or inadequate
risk management function in place in the organization. The internal audit function may
carry the risk management burden or suffer because its inadequacies. In which case, the
audit function must ensure that they present their opinion on the effectiveness or otherwise
of the risk management function to the board audit committee and executive
management whose responsibility it is to ensure the establishment and entrenchment of
risk management culture within an organization.
Page 30 of 296
Business Pain Point Identification
The essence of audit is providing assurance on the effectiveness of internal control system,
governance and risk management. Audit function is said to be adding value to the
business when management perceives that it is helping it in realizing business objectives
and creating value for stakeholders. There are several issues that could prevent the
business management from realizing business objectives, which are known as the business
pain points. These business pain points may or may not have been identified and properly
scoped. As such, it is the duty of the audit team during the pre-audit engagements to
request from the audit client some of its identified business pain points and challenges that
are preventing it from effectively discharging its duties. These business pain points might be
as a result of weak internal control systems, lack of risk management and governance
related challenges.
Hence, the audit team should determine if most or all the identified pain points could be
addressed through the audit or at best report same to management and board audit
committee for their action and intervention if not already known to them. To add value,
the audit team must have the business pain points and their root causes at the back of
their minds while conducting the audit to see how it can use the audit to improve or
address them. This process will be effective where the pain points have been obtained
and known to the audit team prior to kick starting the audit exercise.
Resource Budgeting
It has been argued that internal audit is a cost center based on accounting principles. This
is given that it does not generate income in the course of its activity but many have
contested these positions, which is understandable. However, it is undisputed that internal
audit adds value and saves the organization a lot of headaches and hassles that
sometimes cannot be tangibly quantified. To effectively discharge its responsibilities,
internal audit incurs a lot of cost, which are not limited to personnel cost, travel cost, fixed
asset cost, software cost, training cost, etc.
Internal audit department produces a budget in the beginning of every fiscal year
showing activities, projects and initiatives it intends to undertake, which it sends the board
audit committee and executive management for consideration and approval. To achieve
its assurance deliverables, the board audit committee and management must
demonstrate support to the internal audit department by ensuring that resources needed
for it to discharge its duties effectively and efficiently is provided.
Resources are budgeted based on the audit plan of the department. The audit budget
will not be concluded if the audit plan for the department is not in place. Resources
(personnel and financial) are allocated to each audit area based on what has been
Page 31 of 296
projected. The department can also budget for audit activity based on what was spent in
executing similar audits in the past. Audit funding is essentially one of the ways
management and the board audit committee demonstrate their support/backing for the
internal audit function. Internal audit department that is underfunded will most likely be
ineffective and inefficient as such will be evident in its performance.
· Evaluate the system and process controls in place that ensure the confidentiality,
integrity and available of company’s information assets and data.
· Ascertain the risks inherent in a company's information assets and operational
processes, and identify methods to mitigate or minimize those risks.
· Ensure that information management processes conform to relevant IT-related laws,
regulations, standards and internal policies.
· Confirm necessary governance over information systems, Information
technology infrastructure and personnel of a company.
· Ensure that IT systems and services will continue to be available and accessible to
the business in the event of disruption or emergency.
Composition
Best practice in auditing requires that an audit team include skills and expertise that cover
the area to be audited. The breadth of audit testing to be covered during the audit
makes it unlikely to find all the required expertise in single individual. Good combination of
skills (operational, technical, analytical, investigative, interpersonal, etc.) allows for more
effective and efficient coverage of the different functions, situations and workings within
an organization. The mixture of skills of several persons in the team helps minimize
ambiguity and therefore improves the consistency of audit conclusions.
IT audit team are largely composed of the audit team leader and at least two other
auditors who are chosen for specific skills and expertise that they will bring to the fore
during the audit. The number of the audit team will depend on the scope of work to be
done and the timeframe allocated for the audit activity.
Page 32 of 296
The following should be considered when assembling an audit team:
1. The audit scope, that is, extent of work to be done during the audit.
2. The objectives of the audit, that is, what the audit is meant to achieve, which will
determine the approach to be adopted.
3. The area of the organization to be audited, which will help in deciding what skills or
expertise are required to conduct the audit.
4. The availability and suitability of the audit team members.
Personal attributes
IT Auditors are expected to possess personal attributes such as:
a) High ethical standards, i.e. objectivity, fair, independent, honesty and discreet.
b) Open-minded, i.e. willing to consider alternative or divergent ideas or views.
c) Diplomatic, i.e. tactful in dealing with people.
d) Drive, i.e. alert, decisive, self-awareness, persistent, focused on achieving objective.
Computer assisted audit tools (CAAT) such as ACL (audit command language) or IDEA
are commonly used to extract and analysis the data in a more efficient manner. First, the
CAAT tools are used to extract the data by establishing ODBC connection to the
database of interest. The data are exported to the CAAT tool where specified queries,
filters and logics are applied to make sense of the data and achieve a desired outcome.
Result of the analysis can be used to perform further audit testing or essentially confront
the audit clients for their explanation on observed anomaly or breach of business rules.
To overcome this, the audit team must plan better by identifying activities that will be
performed offsite (i.e. audit team’s location) and those that will be performed onsite (i.e.
in the audit client’s location). This will help in optimizing cost, increase efficiency, reduce
wastages and time required to perform an audit.
Some of the activities that could be perform offsite are as follows.
· Review of documents such as manuals, policies, operating procedures, standards,
regulations, minutes of meetings, etc.
· Data analysis.
· System audit log review.
· Logical access control review.
· Other reviews requiring system access (i.e. online review).
Other activities that cannot be performed offsite will then be performed onsite such as
interviews, process or system observation, walk-throughs, evidence examination, etc.
Management should see internal audit as strategic partners beyond daily business as
usual. Such strategic partnership brings internal audit in the picture of business risks and
pain points confronting the management outside other regulatory and statutory issues
that fall within the purview of internal audit. Internal audit should be able to proffer
recommendations and advisory services that will close those gaps while maintaining its
independence.
Page 34 of 296
CHAPTER – 2 The Audit Process
Page 35 of 296
The Audit Process
IT audit process is the steps adopted by the IT audit team in performing their assurance
functions from conceptualization or initiation of the audit to its completion. The process to
be adopted by the IT audit or internal audit functions are usually documented in the
departments’ audit procedure manual. The process adopted for performing any IT audit
depends largely on the type and scope of such audit and the objectives to be realized.
However, for most audits, the process is largely similar and are listed as follows.
1. Planning
2. Execution
3. Reporting
4. Grading/Rating
5. Corrective actions and remediation
6. Follow up
Planning
At this stage, the internal audit department develops an annual audit plan, which is
reviewed by the Chief Audit Executive and approved by Management Committee and
Board Audit Committee (BAC). The audit plan consists of the strategy and methodology to
be adopted by the internal audit department in executing the plan. The audit universe as
well as the audit units are identified based on feedbacks from management and board
audit committee on the strategic direction of the organization. The various areas and
aspects of the organization to be audited is highlighted in the plan and scheduled based
on resources available to the department.
For a given audit area scheduled in the plan, the audit programme is prepared by the
audit Team Leader, which is approved by the Head of IS Audit Unit and the Chief Audit
Executive. However, a caveat is included to state that the audit programme is subject to
revision in accordance with changes in requirements, scope and schedule. In preparing
the audit programme, the IT audit team engages the auditee management to
understand their requirements and operating environment. Documents such as standard
operating procedures, applicable internal policies, regulatory and statutory requirements,
business pain points and Risk & Control Self-Assessment (RCSA) report of the audit client
are requested prior to the commencement of the audit. The audit team reviews these
documents to gain good understanding of the audit area, inherent risks, control issues and
operational challenges confronting the auditee. Based on the pre-audit assessment, the
Audit Team Leader defines the scope of the audit from risk perspective and according to
the resources and time available to it. The audit team are also at liberty to obtain, prepare
and analyze data needed to confirm the effectiveness and adequacy of controls. It is
recommended that data preparation and analysis are carried as pre-audit activity and
Page 36 of 296
done offsite to enable the audit team gain speed and traction when the fieldwork
commences so as not to struggle with limited resources and timeframe for execution.
From this audit programme, the Team Leader will prepare the respective audit plans,
which is communicated to the other team members and audit client. At this point, the
audit engagement notice/letter can be issued articulating the objectives, scope and
requirements for the audit. The plan may include the following among others.
· Audit objective and scope.
· Department/Section and responsible individuals in charge.
· Audit team members. The number of auditors depends on the size of the audit area
and complexity of the departmental functions to be audited.
· Date, place and time of the audit.
Opening meeting
Opening meeting, where deemed appropriate by the auditee management and Team
Leader, shall be held on the day of commencement of audit. The following may be
discussed during the opening meeting:
· The purpose and scope of the audit.
· Confirmation of the audit plan.
· Clarification of other matters such as requirements, audit approach,
documentation, rating/scoring method and consequence management should be
agreed before the audit kicks off.
Execution
This is where the real audit is performed. The auditors will perform the audit using one or
several checklists or audit working papers (AWP) that are described hereunder:
1. Internal Audit Checklist/Observation template – This contains audit test procedures
that are specific to the organizational unit to be audited. The assigned auditors are
to generate interview questions based on the test steps as they deem appropriate.
2. Management System (MS) Standard Checklist – This contain items or test
procedures relating to the requirements of the standards being audited such as ISO
27001 (ISMS), ISO 22301 (BCMS), ISO 20000 (ITSMS), ISO 9001 (QSM), COBIT 5
Assessment, etc.
Page 37 of 296
materiality, even though not covered by the checklist. Other objective evidence and/or
observations that may impact positively or negatively on the area being audited shall also
be listed on the space provided on the checklist.
The audit team must display high level of professionalism and due care in all their activities
and communicate to the auditee their expectations and concerns. Where conflict or
disagreement arises during the audit, the Audit Team Leader should engage the auditee
management and ensure that the issues are address amicably and areas of
disagreement sorted out with proper explanations. If the Audit Team Leader is not able to
resolve the conflict or disagreement amicably, such issue should be escalated to higher
authorities through his/her reporting lines.
Reporting
The principal product of the audit is the audit report in which audit opinions are expressed,
audit findings are presented, and recommendations for improvements are articulated. To
ensure that the recommendations presented in the final report are practicable and value
adding, the Internal Audit team discusses the draft with the audit client prior to issuing the
final report. The audit report can come in different formats depending on what has been
adopted by the internal audit department but there are generally accepted reporting
formats for audit report. Typically, the audit report generally consists of the following.
1. Cover memo
2. Executive summary
3. Full report
4. Rating sheeting
5. Consequence management
6. Appendices
Cover memo highlights the objectives and scope of the audit exercise, the distribution list
for the report (i.e. persons to receive the report). It is sent to the person responsible for
attending to the issues noted in the report as well as coordinating resolution of all audit
findings.
Executive summary highlights the high-level issue requiring management and board audit
committee’s attention. It is a summary of the audit findings with the most critical issues that
need to be communicated to management and board for action. It is writing in concise,
clear and non-technical language for ease of understanding for the audience.
The full report contains all issues noted during the audit in detail, the risk implications of
issues raised, auditee/management responses to the findings and recommendations
proffered by the auditors to close the identified gaps.
Page 38 of 296
Other documentations required to support the audit work and report are;
· Audit terms of reference (TOR)
· Audit working paper (AWP)
· Walk-through test document (WTD)
· Test of control (TOC)
· Issue summary (IS)
At the reporting stage of the audit, the audit team reviews and analyze the audit findings,
consolidate all findings into a single report as well as supporting documents, logs,
transaction reports into appendices, classify all findings in line with the department risk
scoring/rating criteria, prepare audit recommendations and the final audit report.
Audit finding should be supported by objective evidence. The Team Leader is responsible
for the consolidation all the audit findings and preparation of the audit report. The
auditors should follow professional code of conduct in the preparation of the reporting.
There are several models or methodologies that can be adopted in determining the audit
rating or opinion of conformance of an audit area. Some school of thoughts or models
believe that each audit exception or non-conformity should be assigned a weighted
score (or %) based on their severity. For instance, 5% for critical severity, 4% for high
severity, 3 for medium severity, 2 for low severity, 1 for very low severity and 0 for effective
control. The applicable score for each exception or non-conformity are deducted from a
maximum score of 100 while the remain score after all deduction forms the final audit
Page 39 of 296
rating, which is usually banded for example, above 70% is low risk (Good rating), 30 to 60%
is medium risk (opportunity for improvement or average rating) and below 30% is high risk
(poor rating).
The best practice for audit rating requires that the various risk identified in each audit area
be rated rather than rating the controls/exceptions. The weighted score of each of the risk
associated with a given audit area determines the audit rating of process. Where the
control(s) implemented to mitigate each risk is either adequate or inadequate, the audit
team apportions a weighted score based on their opinion of control adequacy. Rating
guide that could be adopted are;
· Critical risk (very poor rating; 0 -20%)
· High risk (poor rating; 20-30%)
· Medium risk (average rating; 30-50%)
· Low risk (good rating; 50-70%)
· Very low risk (very good rating; 70-90%),
· Insignificant risk (outstanding (90-100%).
The cumulative weighted score of each of the risk areas forms the audit rating for the
client.
The follow up process shall run its course until all noted gaps and non-conformities have
been full remediated and compliance certificate issued to affirm conformance.
Full Audit
Full audit is performed on audit areas that have been scheduled in the internal audit plan.
The audit process described above are adopted to provide assurance on the
effectiveness and adequacy of internal controls and governance structures. This type of
audit is conducted at most twice annual for a given audit area and depends of the risk
rating of the area being audit. Full audit type must follow all the processes describe above
in this book.
Spot-Check
Spot-checks are unannounced audits or reviews designed to ascertain the effectiveness
or state of workings of critical controls, processes or systems, which could adversely impact
the business if not properly oversighted. It is randomly done to confirm consistency and
ingenuity of the process, system or control when no one is watching. It has a bit of the
surprise element. For example, cash count in a bank’s vault, ATM cash count, Bank Teller
cash count, payment card production and personalization stock count, manufacturing or
distribution stock count, misery shopping on service points or outlets, etc. Management
occasionally request for this type of audit to provide independent assurance that a
strategic/critical process of the organization is working as expected without any form of
abuse or compromise.
Follow Up Audit
Follow up audits are performed in most cases to confirm status of resolution of audit
findings noted in previously audited area or business unit. It is a compliance audit that
verifies whether recommendations prescribed to close or resolve control weaknesses or
lapses have been implemented by management and no further breaches are occurring
in that area. This type of audit is usually requested by the board audit committee and the
Chief Compliance Officer (CCO) of an organization.
Page 42 of 296
recommendations that will prevent future occurrence. It could sometimes result to
applying forensic methods and professional evidence collection. It could take longer time
to complete and expected to be very detailed more than conventional audits (full audit).
Value for money audits, which are special audit are also requested by management or
board audit committee to confirm that investments made in business area or technology
of interest is yielding the desired returns on investment (ROI).
Secondly, the Audit Department defines the audit units or components, for example
Strategic Business Audit, Subsidiary Audit, Branch/Regional Business Audit, Information
Systems Audit, Retail Services Audit, etc., can be defined as the audit units under the audit
universe as applicable.
Furthermore, the Auditors define the audit type, which can either be routine, adhoc, spot
check, follow up, or special (investigation) audit. The audit type will determine the
approach, resources, template and report formats to be adopted in performing the audit.
Finally, the audit area are also defined in the software. Audit area for example can be
Accounts and Financial control (FINCON) audit, Strategic Risk management audit,
Treasury products and operations audit, Credit analysis and administration audit, Brand
Assurance and Corporate communications audit, Foreign operations audit, physical
Page 43 of 296
security audit, Data center audit, IT Power and Infrastructure audit, Core Business
Applications Audit, IT Operations and Infrastructure audit, Business Continuity
Management and Disaster Recovery Assurance audit, Business Units among others.
After the above steps has been defined in the software (note: a robust audit
management software should come with most of these features inbuilt), the Audit team
will have to design its Audit Work Programs (AWP), which should capture the identified risks
in the area being audited, controls to mitigate the risks, audit test procedures or Test of
controls (TOC) to be carried out to confirm that the controls implemented are working as
expected or otherwise, the severity of the risk (critical/very high, high, medium or low). The
AWP can be uploaded into the audit software in the form of a template predefined in a
format acceptable to the software. After the AWP has been uploaded in the audit
management software under a defined audit area, then the audit can be approved for
commencement by the audit management. Once the audit work program has been
approved. It becomes an active/scheduled audit in the audit management software
based on the effective date of commencement of the audit assignment. The AWP is the
working document for the audit team during the audit assignment. The audit team
populates the AWP with their findings and root causes of the noted exceptions based on
their observation of the issues in the field. Appropriate corrective actions or
recommendations are also provided based on observations. Thereafter the audit client
(i.e. auditee) then provided their responses to the issues raised during the audit as well as
the root cause and remedial actions. These responses are fed into the audit management
software if properly implemented or integrated with the organization's active directory
and email systems, which gives room for the audit clients to give their response directly
into the audit software. Where the provided responses are adequate and provide
accurate account of the issues as observed/captured by the audit team, the audit team
can then conclude the audit and submit same for review and adjustment by the audit
management.
A good audit management software comes with pre-formatted reports and the report
format will depend on what has been agreed and adopted by the Internal Audit
department and implemented by the software vendor. Some of the reports comes with
cover memo, executive/issue summary, main/detailed report (issues/findings,
recommendations, root causes, closure timelines, etc.), rating sheet, consequence
management report and audit work papers (i.e. AWP and appendices of audit
evidences).
It is important to note that the audit template a.k.a. AWP, which has been uploaded into
the audit management software and used for the real audit field work can be in different
states in the audit management software.
State I: In-Development (Offline)
State II: Under-review
Page 44 of 296
State III: Active (Live)
Depending on the state, any member of the audit team assigned to carried out a given
audit (audit area) can work on the AWPs or audit checklists at any time. All they need to
do is to first checkout the audit work program or checklist (i.e. checking out active AWP
into In-development state). While In-development state, the audit team can work on
different versions of the AWP or audit checklist for a given audit area. After working on the
AWP or checklist while In-Development state, the Auditor can check-in the program to
become Active or Live in the software, which become the final version at any given time
except updated. As such, the audit team members can do back-and-forth (i.e.
amend/change) on their AWP or audit checklists till they agree on the final version that will
be relevant for the job. Once they have agreed, the team lead can change the state of
the final version by checking it in to become "Active" or send same to his/her superior for
approval (i.e. "Under-review" state). Once reviewed and approved, it is then checked-
in as the final version (i.e. "Active" state).
When the audit work is completed, the final report is then generated via the audit
management software for management review and Chief Audit Executive's (CAE) final
approval and issue. The management review can either be done in software or offline
depending on the choice of the CAE. Once the audit report has been issue to the
organization's management or Board Audit Committee, the follow up process is kick-
started. The team designated for this purpose is drive the process and ensure that the
timeline specified by the Audit Client for closure of the audit exceptions/non-conformities
are adhered to and closed with a status report sent to the follow up team for
documented and management review.
Page 45 of 296
PART 2
IT Systems, Processes and Infrastructure Audit
Page 46 of 296
CHAPTER – 3 Audit of Data Centers
Page 47 of 296
Audit Program for Data Centers
Audit Objectives
The objective of the exercise is to evaluate the adequacy, effectiveness and
efficiency of controls in place to minimize the risk of unauthorized access to the
data center, business disruptions and theft of information assets.
Areas of coverage
· Personnel procedures and responsibilities addressing employee
termination, cross-functional and systems training.
· Program change controls are adequate to ensure that changes are tested
and approved before being moved into production status.
· Backup procedures are adequate to minimize business interruption and
protect against loss of data in the event of a disaster.
· Physical security controls are adequate to prevent unauthorized access to
computer center areas
· Environmental controls are adequate to minimize hardware/software
losses from fire or flood.
Audit Scope
The following areas of data center operations shall be covered: Access to the
information processing facility or data center, visitors/vendor restriction, protection
of assets, identification of the information processing facility, access to offsite
storage facility, policies and procedures, personnel, incident management, fire
and hazard control, environmental control, etc. However, specific attention will be
paid on the following areas:
· Data center operating policies and procedures.
· Physical security controls.
· Environmental controls.
· Incident handling and management.
· Infrastructure maintenance
· Cabling and telecommunications.
· Service monitoring and availability management.
· Business continuity management.
Page 48 of 296
Data Centre Audit Checklist
Lack of
separation of Dept.
duties, ambiguity organogram, Job
in business rules descriptions,
and procedure Obtain the Data Centre
inconsistency in manuals and organogram as it relates to
PEOPLE AND processes and product the organizational structure
1 PROCESS procedures. documentation. as well as job descriptions.
Confirm that each staff has
documented job
descriptions.
Interview all the staff in the
data center and ascertain
the processes and
procedures required for the
performance of their job
functions.
Ascertain the risks
associated with the
processes and confirm the
adequacy of controls
(system and manual) to
minimize the risk.
Inconsistent
practices and
substandard
operation of the
ORGANIZATION data center due Document a
AND to lack of standard data Have data center
ADMINISTRATIO standard center operating operating policy and
N OF THE DATA operating policy and manual been documented
2 CENTRE manual. manual. and approved?
Are they sufficiently
descriptive to guide in the
administration and
Page 49 of 296
S/N Audit Area Risk Control Test Procedures
operation of the data
center?
Are the data center
operators aware of the
existence of the operating
manual as well as its
provision?
Is there a procedure in
place for the periodic
review of the operating
manual to ensure that it
reflect changes and
improvement in the data
center operations and
ensure compliance to best
practice?
Risk of
compromise by
the Data Centre
Operators due to Verify that data center
lack of duty Maintain a duty Operators ensure job
rotation and roaster to ensure rotated? Request for data
monitoring of job rotation center duty roaster and
operators’ among the data confirm rotation of duties in
activities. center Operators. a systematic manner.
Confirm that the duty
roasters are routinely
reviewed by the Data
Centre Manager.
Maintain record
of End of Day
(EOD) or End of
month (EOM)
activities and
processes to
prevent system
breach,
suppression of
malicious acts or
service failures (in Confirm that all EOD
the case of high activities and processes are
processing data captured in the EOD
centre using high register or portal to prevent
end ERP or suppression of malicious
banking acts as well as service
software). failures.
Confirm that EOD/EOM
activities and processes are
reviewed regularly by the
Head of Data Centre to
ensure that no service issues
or malicious acts are
suppressed by the
Page 51 of 296
S/N Audit Area Risk Control Test Procedures
Operators.
Implement
performance
measurement
and monitoring
systems.
Determine whether
performance measurement
process services and
infrastructure (systems) are
in place.
Determine whether system
downtime is recorded or
tracked.
Confirm that
alerts/notifications are set to
monitor agreed resource
thresholds for systems to
trigger/alert the Operators
when such thresholds are
breach or exceed. This is to
prevent over utilization of
system resources in a
manner that will cause
damage to the
infrastructure. For example,
set alert on disk space
utilization of the server disk
drive, Netapp storage, Dell
EMC storage, memory
utilization, CPU utilization,
etc.
Page 53 of 296
S/N Audit Area Risk Control Test Procedures
Confirm that system
downtime or outage is
effectively monitored to
prevent service failure. For
example, monitor service
UPTIME on AIX/UNIX server.
Implement
adequate
controls to ensure
accountability
and protection of
backup media
Compromise, produced at the
theft and main facility as Confirm that all tapes that
unauthorized well as their are sent to the offsite
access to transfer and storage facility are properly
backup media retrieval to and documented and
and offsite from the offsite authorized before their
storage facility. storage facility. transfer.
Confirm that the method of
transfer of the tapes (by
either till box or safe) to the
offsite storage facility is
secured and adequately
protected from theft or
compromise. Inspect the
box or safe as well as the
process of tape transfer to
ensure their security.
Verify whether the tapes
and other media are
encrypted to prevent them
from being accessed or
compromised in the event
of theft or loss.
Page 54 of 296
S/N Audit Area Risk Control Test Procedures
Confirm that the default
OEM (Original Equipment
Manufacturer) encryption
code are changed and not
used for encrypting the
tape drives during backup.
Symantec NetBackup
solution as well as other
solutions give room for the
administrator to create its
own encryption codes for
use during back up.
Are all visitors to the off-site
facility required to sign a
logbook or register their
presence indicating their
name, reason for visiting,
time and date?
Are the processes of
retrieval of storage media
(tape and hard drives)
documented and
adequately controlled to
ensure that the right tapes
are retrieved and there are
proper authorizations?
Are the storage media
(tapes and hard drives)
properly index and labeled
to facilitate easy storage
and retrieval?
Install fire
equipment and
other emergency
controls and
ensure that they
are adequately
maintained and Are the fire alarm pull boxes
tested to respond and emergency power
to any fire switches clearly visible,
outbreak. marked and unobstructed?
Are clear and adequate fire
instructions posted in all
Page 56 of 296
S/N Audit Area Risk Control Test Procedures
locations within and around
the data center?
Confirm that emergency
phone/ switch numbers of
fire service authorities are
conspicuously displayed in
specific locations around
the main processing facility
for easy access and use in
the event of fire. For
example, dial 911 or 123,
etc. as applicable.
Are smoke/heat detectors
periodically tested to
ascertain their working
conditions and ability to
detect existence of fire or
smoke when the need
arises?
Are smoke detectors
strategically installed under
the raised floors and on the
ceiling of the data center
such that will easily detect
smoke or fire?
Are there enough fire alarm
pull boxes in and around
the data center?
Are the Operators assigned
individual responsibilities in
the event of fire outbreaks?
Are the operators trained
periodically in firefighting?
How frequently are fire drills
held?
Are FM200 fire extinguishers
installed in the data center
for the purpose of
firefighting?
Page 57 of 296
S/N Audit Area Risk Control Test Procedures
Are the FM200 fire fighters
promptly maintained and
serviced in line with the
OEM service lifecycle?
Are the firefighting
equipment periodically
tested to ascertain its
working condition and
ability to respond to disaster
in the event of emergency?
Are combustible materials
found within and around
the data center area?
Combustible materials must
not be kept in around the
data center as they are fire
fuelers and could aid
spread of fire.
Implement
controls that will
adequately
prevent flooding
and other
disasters from
affecting the Are the data center
data center. installed above raised floor?
Are the materials used for
the raised floor or base of
the data center those that
are not combustible or aid
the spread of fire?
Are there water lines/pipes
or collectors that are
through or close to the data
center area to avoid
flooding?
Page 58 of 296
S/N Audit Area Risk Control Test Procedures
Are environmental
monitoring and control
system (EMCS) installed in
the data center and
periodically tested to ensure
that temperature and
humidity conditions within
the data center are
controlled and monitored.
Are the EMCS
configurations adequate to
ensure that triggers/alerts
are sent to concerned
persons when the
temperature and humidity
conditions within the data
center drops or increases
above the acceptable
limits or threshold?
Safeguard
signal/data
cables in PVC Inspect all signal/data
trunks to prevent cables on servers and
signal network devices to ensure
interception or that they are not exposed
tapping for to interference or tapping.
Page 59 of 296
S/N Audit Area Risk Control Test Procedures
malicious
purpose.
Page 60 of 296
S/N Audit Area Risk Control Test Procedures
Are there procedures in
place for deactivating user
access on the biometric or
smartcard devices in the
event that they are
disengaged from the
organization (either
voluntarily or terminated by
the company or if an
employee smartcard is lost
or stolen?
Do the means of gaining
access, i.e.
biometric/smartcard
automatically produce a
silent or audible alarm if
illegal entry is attempted?
Do the biometric/smartcard
devices automatically log
and report successful
access and unsuccessful
attempts to the data
center?
Is the issuing, accounting
for, and retrieving the
smartcard/biometric an
administrative process that
is carefully controlled?
Request for smartcards of
users that have exited from
the organization.
Can all active smartcards
be accounted for?
Confirm that the access
logs of the biometric or
smartcard devices are
captured and retained for
a reasonable period. Verify
that the logs are backed up
on external media (tapes or
HDD) for retention for
Page 61 of 296
S/N Audit Area Risk Control Test Procedures
purpose of investigation
when the need arise.
Are there video cameras
located at strategic points
in the information
processing facility (data
center) that are monitored
by security personnel? Is the
video surveillance recorded
for possible future
playback?
Is there an alarm system in
place that is linked to
inactive entry points to the
information processing
facility or data center?
Are employees and visiting
technicians required to
wear photo IDs or
identification badges?
Page 62 of 296
S/N Audit Area Risk Control Test Procedures
Are visitors required to be
escorted by a responsible
employee? Such visitors
include friends, repairmen,
computer vendors,
consultants (unless long
term, in which case special
guest access is provided),
maintenance personnel
and external auditors.
Are special service contract
personnel, such as cleaning
staff and off-site storage
services, bonded and
monitored during the
discharge of their duties to
limit the financial exposure
of the organization or
disruption of service?
© Copyright. All
rights reserved
Page 63 of 296
CHAPTER – 4 Audit of Business Continuity
Page 64 of 296
Audit Program for Business Continuity and Disaster Recovery Management
Audit Objectives
The objective of the exercise is to evaluate the adequacy, effectiveness and
efficiency of controls in place to minimize the risk of business/service disruptions
because of system failure or disaster affecting an organization’s information
processing facilities (IT infrastructure) or operating environment.
Areas of coverage
Page 65 of 296
Business Continuity Management and Disaster Recovery Audit Checklist
Page 76 of 296
CHAPTER – 5 Audit of Business Process
Page 77 of 296
Audit of Business Process Re-engineering (BPR) and Software Development
Lifecycle (SDLC) Management
Audit Objective
The objective of the exercise is to evaluate the adequacy, effectiveness and
efficiency of controls in place to minimize the risks of unauthorized access,
disclosure of classified information and inability of business applications to meet
the intended objectives.
Audit Scope
The following areas should be covered during the audit.
· Software development standard and methodology.
· System development lifecycle management.
· Software development process documentation and practices.
· System analysis and design methodology.
· Standard operating procedures.
· Change management.
· Code review and software vulnerability assessment.
· Separation of duties practices.
· Application development standard and best practice.
· Information security considerations.
Page 78 of 296
Audit Checklist for Business Process Re-engineering and Automation
Enterprise IT
Page 86 of 296
Audit Program for IT Governance and Strategic Planning
Audit Objective:
The objective of the exercise is to evaluate the alignment of IT strategy with business
objectives, value delivery of IT investment and effectiveness of IT Department in
providing technology related services to every area of the business.
Audit Scope:
Some of the areas the audit should consider are: understanding the impact of IT
services within the company, performance measurement and scorecard for IT
services, assuring stakeholders of the viability of IT investment among others. The
following areas should be considered:
· IT Steering Committee and its composition.
· IT Project Management and Implementation.
· IT Policies.
· IT Organizational Structure.
· IT Strategy (Short, Medium & Long Term).
· IT Administration.
· IT Resource Management.
· IT Security Management.
· IT Budgets.
· Performance Monitoring and Measurement.
Page 87 of 296
the need to take responsibility for IT management as a critical component of their
overall corporate governance efforts.
Information Security
Information is one of the organization’s most important assets. Protection of
information assets is necessary to establish and maintain trust between the
organization and its customers. Timely and reliable information is necessary to process
transactions and support organization and customer purchase decision. The
organization’s earnings and capital can be adversely affected if information becomes
known to unauthorized parties, is altered, or is not available when it is needed.
Information security is the process by which an organization protects and secures
systems, media, and facilities that process and maintains information vital to its
operations. Security programs must have strong Board and Senior management level
support, integration of security responsibilities and controls throughout the
organization’s business processes, and clear accountability for carrying out security
responsibilities. Guidance will be provided to examiners and assurance professionals
on determining the level of security risks to the organization and evaluating the
adequacy of the organization’s risk management.
The Audit Team shall request for the following from Management.
Information Technology (IT) Governance
· IT Organogram/Organizational structure.
· Job descriptions for all IT related roles.
Page 88 of 296
· List of IT inventory/assets (Hardware & Software) and their current locations with
their serial and license numbers as applicable.
· IT Charter.
· IT Steering Committee Composition.
· Minutes of meeting of IT Steering Committee in the last one year.
· IT Budget for the financial year.
· IT Security Steering Committee composition and minutes of meetings
· Current IT Strategic plan.
· IT strategic plan (medium and long term).
· IT Risk register.
· Previous internal and external audit report of IT departments.
· Compliance certificate for the previous audit reports.
· Training Plan for the financial year.
· Key Performance Indicators (KPIs) for all IT related functions.
· List of all IT vendors and their respective Service Level Agreements (SLA) or
Contract agreement.
· List of pre-qualified IT vendors.
Page 89 of 296
Audit Checklist for IT Governance and Strategic Planning
1. Confirm that there is an IT governance and strategic plan that suits the
company's peculiar needs.
2. Confirm that there is executive management and Board buy-in for IT activities,
Governance and strategic plan.
3. Verify that IT governance and strategy have complete Board of Directors buy-in
and issues relating to IT and strategic investment are discussed and approved
by the Board (request for Board of Directory’s minutes of meetings from the
company secretariat).
4. Verify the existence of IT Steering Committee, which has management
responsibility for enterprise governance and administration of IT and reports to
relevant Board standing committees.
5. Verify that there is alignment IT projects and strategic investments with business
objectives (request for Board and Exco minutes of meetings).
6. Verify that there is governance structure and administrative reporting lines in the
IT department such that will promote accountability and good practice.
7. Verify that the IT Steering Committee performs its oversight responsibilities over
the IT Department and reports back to management for information decision
making.
8. Verify that key perform indicators were put in place by the Board of Directors to
measure IT performance.
9. Verify that the Board of Directors adequately challenges management on IT
initiatives by benchmarking measurable results.
10. Verify that management has aligned IT strategy with business goals by asking
tough questions such as: where does IT fit in the overall strategy for the
company? What is management's risk tolerance level with IT investments? What
are the major IT issues facing the organization?
11. Verify that management prepares and presents annual IT budget to the Board
of Directors for approval with adequate information on how the budget will be
executed and the value they will provide to the company.
12. Verify that management has put in place short or medium term IT strategic plan
(3 to 5 years) highlighting the focus of the IT organization, strategic IT projects to
be executed, cost of such projects, budgets and expected short and long term
returns to be gained from the project.
13. Verify that management has clearly outlined goals for the IT department, which
must be measurable and achievable within scope of resources provided to the
IT organization.
14. Ensure that management promotes responsibility among the IT staff for the
success of IT projects.
Page 90 of 296
15. Verify that a scoring technique has been established by management to
measure current performance of all IT systems and processes while the following
key points are monitored: organizational support for the implementation of
projects, risk management responsibilities within the organization, the need for
interdepartmental sharing of business information, and project communication.
16. Verify that management drills down and define the process areas in IT that are
critical to managing high risk areas.
17. Ensure that expectations among IT staff are managed by making it clear while
noting that this is not an overnight process.
18. Verify that management understands the risks associated with IT investment.
Consider the company's previous patterns of performance, current IT staff
qualifications, complexity of IT environment, and the type of new IT initiatives
being considered.
19. Verify that management analyzes current capability and identify gaps. Find out
where improvements are needed most.
20. Verify that management program for IT governance and strategy consists of a
series of continuous improvement phases rather than a one- or two-step
process.
21. Verify that management has decided on which improvement strategies are the
highest priority projects. This decision should be based on the most potential
benefit and ease of implementation of an IT project.
Page 91 of 296
CHAPTER – 7 Audit of Physical and
Environmental Security
Page 92 of 296
Audit Program for Physical and Environmental Security
Audit Objective
The objective of the exercise is to evaluate the adequacy and effectiveness of
controls to minimize the risks of unauthorized access into the organization’s
premises and restricted areas, disruption of operations resulting from power
inadequacies, threat to premises security and the attendant effect of emergency
situations to service availability and human lives in the working area.
Audit Scope
The following areas of the physical and environmental controls as well as power
infrastructure shall be covered:
· Procedures and Controls at the Security Posts and Reception Areas.
· Procedures and Controls at the Generator and Power Farm Areas.
· Close Circuit Viewing and Monitoring System (CCTV).
· Safety and Emergency Procedures and Controls.
· Fire and hazard control, environmental Controls.
· Physical and logical access controls within the premises with focus in the
main processing facility of the organization.
Page 93 of 296
Audit Checklist for Physical and Environmental Security
Page 94 of 296
Staff entering the Observe that staff
premises and members who are
other restricted entering the premises from
areas must the main entrance can be
properly identify identified with their ID
themselves with cards and that it is
staff ID cards as conspicuously displayed.
well as
conspicuously
display their ID
cards at the point
of entry.
Verify that visitors’ tags are
being issued to visitors
who have need to access
Visitors must also
the organization’s Head
obtain temporary
office building or premises.
badges or tags
This can be done my
from the reception
identifying a visitor within
desk and such
the premises and
tags must indicate
checking that appropriate
the area(s) within
visitor’s tag was given and
the premises that
conspicuously displayed.
the visitor will
The tags could also serve
access and be
as access cards which
restricted to.
can be used to access
designated floors or office
areas as appropriate.
Information on all Confirm that Visitors
entries including register and tags are
names of visitors, properly recorded and
arrival/departure maintained. Verify records
times, purpose of and do random check on
visit, should be visitors within the premises
recorded and as a confirmation test.
stored in
appropriate form
(e.g. logbooks,
registers, or IT
systems).
Page 95 of 296
Lack of proper Implement Confirm that logbooks or
action when procedures for registers were opened by
intrusion has been reporting cases of the Physical security
detected. intrusion or department for capturing
unauthorized and reporting of security
entries. incidents or breaches.
Check to ensure that
appropriate information
about possible security
incidents are captured in
the register.
Check/confirm if there are
reported cases of security
incidents or breaches in
the log book maintained
by the Security
Department, which has
not been escalated for
management action.
Confirm that reported
security incidents or
breaches were properly
escalated through the
security reporting lines for
appropriate management
action.
Conduct intrusion Confirm that the Security
tests and record department with the
results and; if approval of the Chief
necessary, Security Officer (CSO)
implement performs intrusion tests on
corrective actions. service men on duty
occasionally and that test
results are documented
for preventive
action/measures.
Page 96 of 296
Inadequate Conduct test on Confirm that the Security
protection of the the integrity of the department in
premises against perimeter fencing conjunction with
external intrusion. of the premises Corporate Services
while planned Department conduct
maintenance and integrity or structural test
repairs are on the perimeter fencing
performed as around the premises if
appropriate. applicable to provide
assurance on their
integrity and structural
strength while failures and
defects are reported for
management’s action.
Inadequate Ensure that only Identify how and where
locking devices authorized keys to specific secure
for external and personnel have areas, offices or rooms are
internal doors, access to keys for kept and in whose
windows and locked building, custody.
gates. sites, rooms, and Confirm that keys are
secure areas. stored securely.
Confirm that there is
adequate procedure
around retrieval of keys to
ensure that only
authorized persons do so
while records of retrievals
are kept for future
reference.
Take periodic Request for evidence that
inventories of locks inventory or stock taking
and keys. of keys to secured areas
are being periodically
conducted.
Ensure that incidences of
missing or
unreturned/unaccounted
keys are reported and
escalated for
management action.
Page 97 of 296
2 Entry Control Inadequate Implemented Identify and classify all
Systems protection of the adequate entry areas within the Head
(Biometric and premises against controls such as Office building or Other
Smartcard) external intrusion. registers, Annex locations into
Security and biometric/smart security zones based on
Biometric and card access the criticality of
CCTV controls information assets or other
Administration. valuable assets within
those areas. For example,
Class A (High security
zone, B (medium security
zone), C (Low security
zone), etc. Zone A could
be executive
management
floors/wings, Treasury
trading/deal room, data
center, card production
areas, head Office vault,
safe custody room for
legal department, HCMD
staff file room, Generator
area, etc. Zone B could
be Office areas where
sensitive organization's
documents are kept in
fireproof cabinets, Car
part, etc. Zone C could be
Staff Canteen/Cafeteria,
Gym room, Clinic,
Reception/Visitor's waiting
room, etc.
Request for the criteria for
determining the kind of
asset that should be
placed on each of the
zones. What is the
minimum requirement for
each security zones?
Page 98 of 296
Based on the classification
of the security zones within
the premises, determine
from the assessment,
which area require access
controls devices such as
biometric or smart card
devices.
Ensure that all areas
warehousing information
assets are properly
restricted and controlled
with access control
devices (biometric or
smart card).
Lack of All entry points, Identify areas within the
monitoring of sensitive and head office that should
entry points, general areas be covered by CCTV that
sensitive and within the are not yet covered.
general areas organization's Identify the areas covered
within premises or premises shall be by the CCTV and
locations where secured and ascertain that the
information assets monitored using coverage is adequate
are kept. appropriate and legible in the CCTV.
control, such as Confirm that there is
CCTV and/or entry continuous monitoring
control system and viewing (24/7) of
(biometric/smart CCTV systems by at least
card access two stationed staff in the
control devices). Control room during peak
(daytime) and off peak
periods (at nights,
weekends and public
holidays) for the purpose
of detecting any intrusion
and unauthorized access
or activities.
Page 99 of 296
Request for report of
security incidents or
breaches that were
captured using the CCTV
systems and verify that
they were escalated for
management action.
Confirm that all installed
cameras are functional
and working as expected.
A functionality test could
be carried out by
members of the security
team in the control room.
Inadequate Record and retain Obtain a sampled
retention of images/footage of playback of CCTV
images/footage all activities footage of areas around
of activities around secured the premises to determine
around the areas and entry that the images/footage
premises for points including are clear and are being
retention period perimeter fencing captured and retained as
as specified in the of the premises appropriate.
information using the CCTV
security policy. system.
Recorded Confirm that a CCTV
images/footages image/video recorder
of activities within (PVR) was installed.
the premises shall Confirm that recovery
be backed up point objective (RPO) and
and retained for recovery time objective
specified periods (RTO) has been defined
of time in line with for CCTV images/footage.
organization data Confirm that CCTV
retention policy, images/footages are
regulatory and being backed up to
security external media in line with
requirement. established RPO and RTO
Introduction
The in-depth, authoritative reference for intermediate to advanced IT Audit and IT
Security professionals.
Following reports of Denial-of-Service attacks and data breaches on large
corporation around the world in recent times and its attendant impact on business
operations, the need to ensure security of the intranet and internet environment
cannot be overemphasized. Considering the widespread use of Windows
Operating Systems and other associated services, there is obvious need to ensure
security of Windows infrastructure by implementing good internal control systems,
enterprise policies as well as promotion of best practices and user awareness
within the operating environment. Auditors and other IT Assurance professionals
are duty bound to ensure the security of all enterprise systems by instituting a
robust internal audit and security assessment process for continuous improvement
of good security practices.
Audit Objective
The objective of the exercise is to evaluate the effectiveness and efficiency of
controls in place to minimize service disruption and risk of unauthorized access to
the organization’s Windows enterprise systems, servers and workstations.
Audit Scope
The audit program covers enterprise systems (e.g. Active Directory, Exchange
server, Enterprise backup solution, Skype for Business solution, Endpoint solution,
Virtualized Infrastructure, etc.), Windows servers, Windows workstations, intranet
and internet security. Specific attention will be paid to the following areas:
Audit Objective
The objective of the exercise is to evaluate the effectiveness and efficiency of
controls in place to minimize the risk of confidentiality, integrity and availability of
e-banking and e-payment application systems.
Audit Scope
6. Operating Ensure that latest antivirus patches Risk of virus and malware
System were installed on all servers hosting e- attacks
Security. payment applications in the
organization. Ensure that the antivirus
applications are regularly updated.
Ensure that all e-payment severs Risk of vulnerabilities
receive regular patch updates from being exploited due to
the vendor to close vulnerabilities lack of prompt and
Page 159 of 296
S/N Audit area Test Procedure Implications
whose patches are available from the routine patch updates.
vendor
Verify the version of Operating systems Risk of running on servers
of all e-payment application and already out of support
database servers (in the case of from the vendor with its
Windows environment) and ensure attendant effect on
that all servers are running on at least availability of support
Windows server 2012 and above. and security.
Immediate plan should be made to
update servers still running on Windows
server 2008.
Verify that users granted access either Risk of unauthorized
console or remote access to the access.
operating system of e-payment
application servers are authorized and
access was given based on the need-
to-do.
Ensure that operating system logs Lack of audit trail of
(application, system and security) of all users and administrators’
e-payment application and database activities on the servers.
servers are consolidated on Log
management and correlation tool
such as Arcsight.
7. Data Backup Ensure that there is documented Risk of data loss and
and Log backup and restore procedure for e- leakages.
Management. payment application data. Also, verify
that recovery point objective and
recovery time objective has been
established for all e-payment
application data.
Review that the backup procedures, Loss of data in the event
established frequencies and other of system crash or
documentations to determine the disaster affecting the
following; main processing site.
1) Adequacy backup frequency and
retention periods for external backup
data.
2) Adequacy of procedures relating to
in-house and off-site storage of
backup media/tapes and programs
Page 160 of 296
S/N Audit area Test Procedure Implications
3) Ensure critical backups are stored in
a secure, off-site location.
Check to ensure that activities of Loss of audit trail of
operating system and application privileged user accounts
administrators are logged, adequately for investigation when
protected and backed up to prevent the need arises.
the users from access or deleting them
to cover up their malicious activities.
Verify that backup tapes of all e- Risk of confidentiality,
payment application data are integrity and availability
encrypted before they are sent to of the application data.
offsite facility as required by PCI-DSS
standards.
Verify that logs of user activities on e- Lack of audit trail.
payment applications and their
database (MSSQL) are backed up
external for audit trail purposes.
8. Change Verify that every systems changes or Risk of unauthorized
management. modifications following the approved changes in the
change management process (i.e. production system.
completion and authorization of the
change management request form)
and ensure that stakeholders’
authorization or approvals are
obtained as required.
Audit Program for UNIX Operating Systems Infrastructure (IBM AIX and SUN
Solaris)
Audit Objective
The objective of the exercise is to evaluate the adequacy and effectiveness of
controls in place to minimize the risk of unauthorized access, disclosure of classified
information and system downtime/unavailability.
Audit Checklist for UNIX Operating System Infrastructures (IBM AIX and SUN Solaris)
Cat: /etc/passwd
5. System Security. Ensure that during the initial Lack of integrity and
Page 168 of 296
S/N Audit area Test Procedure Risk Implications
installation, the System Administrator reliability of the UNIX
created audit check sum files. These environment due to non-
files will allow the Security configuration of audit
Administrator to verify that no check sum file.
changes have been made since the
installation of the system.
Field: comments.
Acl: contains both base and
extended access control list data for
the file.
Class: a logical group to
which this file belongs.
Pathname: Absolute
pathname.
Owner: Ether symbolic or
numeric ID.
Group: Either symbolic or
numeric ID.
mode: Symbolic
representation as displayed by the ls -
l command
size: Size of the file in
bytes. Major and minor numbers are
listed for devices.
Checksum: File contents
computed by a checksum algorithm.
This field reflects the slightest change
to a file, even a single character.
9. Batch Jobs and Review the crontabs file and ensure Poor system configuration
Log File that entries in the file, especially the leading to
Security. one owned by root are valid entries implementation of
and jobs running. vulnerable system.
Note: Scheduled jobs within the UNIX
environment are setup in a file called
the crontabs. This file has a one line
entry for each job to be executed at
a given time.
Determine if the at command is Risk of unauthorized
restricted by reviewing a file called access.
at.allow and at.deny. Other jobs can
run with the at command.
Check to see if accounting is turned Lack of accountability,
on. The accton turns on accounting. responsibility and non-
repudiation of users’
actions due to
unavailability of audit
trail.
Review the /usr/adm/messages for Risk of unauthorized
“BAD” login attempts. access not being
detected.
© Copyright. All rights reserved.
Audit Objective
The objective of the exercise is to evaluate the adequacy and effectiveness of
controls in place to minimize the risk of unauthorized access, disclosure of classified
information and system downtime in the core banking application.
8. User Access Authorized users’ access privileges are Authorized users gain
Management. defined and restricted by “group inappropriate or
profiles”, which provide a template of excessive privileges.
role-based rights for their designated job
function. The “group profiles” are
established by the business areas and
used by the security administrator.
Client-server access rights are defined in
user groups containing rights to specific
servers, applications, drives, and files.
Users are assigned to groups only where
there is a business need.
Is practice of copying an existing The system could
employee’s access rights to create a allow IS Control staff
new user’s access rights prohibited? while creating new
user record on the
Page 192 of 296
S/N Audit area Test Procedure Risk Implications
core banking
application to modify
existing user record.
This could let to
assigning excessive or
inappropriate
privileges to users.
Verify that application or database level Transaction level
security restricts user access to some control required to
critical menus of core banking minimize risk of
application (CBA) and/or from specific excessive control or
types of transactions. financial loss.
A. Defined authorities and limits built
into applications and tables.
B. Regular or periodic monitoring of
the appropriateness of authorities
and limits.
C. Monitoring of transaction activity.
Is direct access or updates to data, Deletion, update or
master files or CBA home directory from modification of
command lines or batch programs by application
“super” users prohibited or restricted. If programs/codes from
access must be allowed, access is low level utility
restricted to only authorized personnel programs.
and is monitored and supported by an
adequate audit trail.
A. Access restricted based on
business need.
B. Programming personnel do not
have update access to
production data.
C. Access for IT or key user personnel
is monitored.
Audit Program for Payment Card (Debit, Credit & Prepaid) Processes, Systems and
Applications – PCIDSS Compliance
Introduction
Despite investment made by businesses that process, store, transmit and access
cardholder information in the area of security, data breaches have continued to
occur in a disturbing scale leading to loss of funds by cardholders, financial
institutions and insurance companies. Players in the payment cards ecosystem
such as the card brands (American Express®, Discover®, JCB, MasterCard®,
VISA®, Union Pay® and Verve®), card issuers, terminal owners/acquirers,
processors and payment switches have suffered losses and reputational damages
due to inadequate security controls, process flaws as well as poor monitoring and
oversight by those who are saddled with the responsibility to do so. Where
vulnerabilities are left unaddressed, chances are that fraudsters and attackers
could exploit them to their advantage.
The objective of this practical guide is to offer the reader a step by step guide on
how to carry out the audit/review of the payment cards processes, systems and
applications to provide that needed assurance to stakeholders (management,
investors and regulators) on the adequacy and effectiveness of controls in the
payment cards processes and systems. Businesses that process, store, transmit and
access cardholder information as a matter of corporate governance and
regulation perform audit of the payment cards processes, systems and
applications in a defined cycle. However, the personnel (Information Systems
Auditors, Information Security Practitioners, IT Risk Managers, Card Product
Managers, CIO, CISO, CTO) carrying this audit burden have sometimes fallen short
in their responsibilities with its attendant impact on the confidentiality, integrity and
availability of cardholder information.
This section will close this gap by showing the reader how to carry out the audit
testing as well as control failures/vulnerabilities to look out for in the area of
payment card policies, processes, applications, databases, change
management, redundancy and data backup, vendor management and third
party services, encryption key management, terminal security, network security,
vulnerability management, operating systems security, credit card portfolio
management, card operations (priming, production, stocking & distribution),
instant card issuance, reissuance among others. The primary audience is
operational stakeholders (IT security managers, IT risk managers, IT managers,
business managers and IT auditors) who are responsible for developing,
implementing, operating, managing or reviewing the controls, technology and
processes that are required to secure the system and comply with relevant industry
standards (PCIDSS, PADSS, ISO 27001).
Audit Objective
The objective of the audit is to evaluate the adequacy and effectiveness of
controls in place to minimize the risk of unauthorized access to cardholders’ data
and compromise as well as disruption of e-channel services.
Audit Checklist for Payment Cards (Debit, Credit & Prepaid) Processes, Systems
and Applications – PCIDSS Compliance
7. Credit Card Loss of funds due Ensure that Obtain customers' credit
Portfolio to inability of customers' credit card portfolio report.
Management. customers/subsc cards loans are
ribers to repay fully liquidated
their loans. upon
termination of
the credit card
platform.
Ascertain the number of
customers who have
defaulted on their credit
card and the debit
balances involved.
Confirm the credit cards
that are performing.
Confirm that the
requirement for issuance
of credit cards to
customers is being
followed.
Collate list of customers
that were issued credit
card and amount due on
the card that are yet to
be repaid.
Audit Objectives
The objective of this audit exercise is to evaluate the adequacy and effectiveness
controls in place to minimize the risks of unauthorized access to employee
information, disclosure of classified personnel information, systems downtime and
accuracy and integrity of the employee and payroll data.
Audit Scope
The audit shall cover all human resources systems such as, HR software (for
personnel information and payroll data). Specific attention will be paid to the
following areas:
· Logical access controls (User profiles and Privileges).
· User registration and de-registration.
· Security parameter setup.
· Staff data confidentiality and integrity.
Page 224 of 296
· Operational procedures.
· Application logs.
· Data backup and retention.
· System support and change management.
· Payroll data integrity.
· Information classification.
3. Risk of fire Implement physical Verify that employee files are properly
outbreak, and environmental and safely stored in fire proof cabinets
environmental security controls. to secure it from unauthorized
threat as well as tempering or fire.
unauthorized
activities, due to
lack of physical
security controls.
Verify that smoke detectors were
installed in rooms where employee
files are stored.
Verify that CCTV cameras were
installed in the file rooms to monitor
and record activities of users/staff in
the room.
4. Risk of multiple Implement a Verify that disengaged staff are
payments, over procedure for the promptly removed/disabled from the
payment or review of payroll data payroll and other information systems
payment of and as well as of the organization to ensure that
unearned salaries payments to staff salaries and allowance are not further
and allowance to members to ensure paid to them after separation.
staff. data integrity.
Conduct data integrity check on the
payroll with ACL Analytics software to
ensure that duplicate payments in
salaries and allowances were not
made to staff while unearned salaries
and allowances are not paid to
disengaged staff after their exit.
Compare the list of active staff in the
payroll as against list of active staff in
employee database to ensure there
Page 230 of 296
Risk Controls Procedure
are no discrepancies (e.g. ghost staff,
duplications, etc.).
Verify that the effective dates of
separation of staff that have
disengaged from the organization’s
employment were properly captured
to for data integrity checks on the
payroll and correct computation of
the staff exit entitlements were
applicable.
Network Security
3. Firewall Security
Remove access list (rules) on the
firewall with zero (0) hit (i.e. rules no Obsolete
longer in use). This is to optimize rules increase the attack
performance and enable the firewall surface and can be
Firewall to process legitimate traffic. exploit.
Not specifying service for
a rule imply that any
service could utilize the
rule set, which could
Ensure no rule that allow "any" service create vulnerability for the
between two hosts are granted. device.
Ensure that the firewall access list (rule Inadequate visibility on
set) include "explicit deny statement" the firewall by the
(explicit "deny ip any any log" rule). administrator could lead
This is enable the administrator have to non-detection of
Page 242 of 296
S/N Audit area Test Procedures Implication
visibility on the dropped traffic. unauthorized activity or
DoS attacks.
Not commenting on each
access list rule set on the
firewall could lead to
creation of multiple acl
rules performing the same
Ensure that access list rule sets are function and as such,
commented to aid in easy result to performance
identification of the rule and its degradation of the
function. firewall.
Lack of effective
management and central
Ensure that AAA authentication is administration of the
enabled on the firewall. This is to firewall could let to
enable the firewall be effectively unauthorized access,
managed and monitored using administrative overhead
ACS (TACACS+) or RADIUS. and duplication of effort.
Risk of unauthorized
Ensure that AAA authentication for access if AAA
interactive management interface authentication for
have been enabled. This will ensure interactive management
that users login using a valid username interface is not
and password. implemented.
This is to restricted users to
specific and authorized
Ensure that AAA servers and protocols protocols and prevent
have been defined. unauthorized access.
SSH version 1 has a known
vulnerability, which
Ensure that only SSH version 2 is prompted the release of
enabled on all network devices. version 2.
Ensure that management console line
(line 0) password has been set with
strong password encryption (enable
secret). The password command Using default or well-
causes the firewall to enforce use of known passwords makes it
strong password to access the user easier for an attacker to
mode. gain entry to the device.
Ensure that firewall has been This configuration restricts
configured for ASDM management remote management
Page 243 of 296
S/N Audit area Test Procedures Implication
access control. access via HTTPS for ASDM
to authorized
management subnets
only and minimize the
device attack surface
and prevent potential
compromise.
Telnet should not be used
for remote management
of the firewall and as such,
should be disabled given
that it is weak protocol
Ensure that only SSHv2 was enabled for and transmit users'
remote management of the device. credentials in plain text.
Ensure that session timeout was
configured on the firewall to This is to prevent
automatically disconnect a login unauthorized users from
session after a fixed period of idle timehijacking or misusing
(say 5minutes). abandoned sessions.
This restricts access to
the device to only
approved management
subnet. Restriction
prevents unauthorized
parts/sections of the
Ensure that SSH access control is network from accessing
required for the firewall device. the device.
Banners are electronic
messages that
communicate legal rights
to users that login to the
device. Banners establish
a system administrator's
common authority to
Ensure that EXEC, Login, MOTD and consent to a law
ASDM banners were configured as enforcement
appropriate. investigation.
This is to serve as a
Ensure that at least one user was set on fallback authentication in
the console line the event that the
(local) access to the device. centralized AAA service is
Page 244 of 296
S/N Audit area Test Procedures Implication
unavailable.
SNMPv1 and SNMPv2 use
Ensure that only SNMP version 3 are clear text community
enabled on the firewall device. string, which are
SNMPv1 and SNMPv2 considered weak
should be disabled. security implementation.
Ensure that SNMP read access, which
allows remote monitoring and SNMPv1 and SNMPv2 use
management of the device be clear text community
disabled except when needed string, which are
importantly for lower SNMPv1 and considered weak
SNMPv2. security implementation.
It eliminates difficulty
troubleshooting across
Ensure that local time zone is set on the different time zones
device. This command explicitly and correlating time
configures the device to coordinated stamps for disparate log
universal time (UTC). files across the network.
Attackers can potentially
use DHCP to carryout
Ensure that DHCP server service is not denial-of-service (DoS)
configured on the device. attacks.
Logging to external system
provides for protected
long-term storage of logs,
which would otherwise be
lost due to device limited
internal logging buffer
capacity. It also keeps the
Ensure that the firewall is configured to logs away from the
submit logs to one or more syslog device administrators who
servers for central event correlation. It could delete or tamper
can be configured to send logs to SIEM with the logs to conceal
syslog server such as Arcsight. their activities.
Ensure that the firewall is configured for NSEL provides greater
Netflow secure event logging (NSEL), visibility into traffic flow
which monitors traffic flow through the passing through the
firewall. network.
Ensure that the firewall device clock is Without NTP clock
synchronized with the Network Time synchronization, the
Protocol (NTP) server to enable reliable accuracy of time
Page 245 of 296
S/N Audit area Test Procedures Implication
correlation of events based on the and sequence of events
actual sequence they occurred. would be diminished.
Without NTP message
Ensure that the firewall is configured to authentication,
authenticate NTP messages from the an attacker can spoof the
NTP server. devices NTP server.
Outdated OS versions
usually have known
vulnerabilities, which
Ensure that the device is running on can be exploited by an
authorized OS version. attacker.
This reduces the risk of
Ensure that the firewall is configured someone accessing an
such that it closes connections after already established
they become idle to minimize impact but idle connection. It also
to memory and resources available for reduces the likelihood of
new connections. DoS attack.
When intrusion detection
is enable on the firewall,
the device can detect
unusual activities using
informational and attack
signatures and take
necessary action like
drop the packet or close
the connection. Attack
signatures identify
activities that are or lead
to exploitation. This would
not be detected by the
firewall if intrusion
Ensure that intrusion detection is detection policies are not
enabled on the firewall. set.
Accepting packet
fragmentation makes it
Ensure that fragment chain possible for an attacker to
fragmentation is disabled to prevent submit large number of
fragmented packets on external or packet fragments to
high risk interfaces. cause fragmentation DoS.
Ensure that traffic inspection is Traffic inspection should
Page 246 of 296
S/N Audit area Test Procedures Implication
enabled on the firewall for commonly be performed for all traffic
attacked protocols to ensure that only both inbound and
legitimate requests outbound, matching the
are permitted. enabled protocols to
prevent threats
associated with the
protocols.
Ensure that object groups are used to The use of object group in
simplify ACL policy rules on the firewall access control entries
by grouping services, networks and makes firewall rules easier
protocols. to troubleshoot and audit.
Security
Please note that the following will also be require, however the commands/files are
required to be extracted/executed at the operating system level.
· INIT<SID>.ORA
· TNSNAME.ORA
· LISTENER.ORA
· PROTOCOL.ORA
· OPATCH LSINVENTORY -DETAIL
ALTER PROFILE
<profile_name> LIMIT
FAILED_LOGIN_ATTEMPTS
5;
30 Ensure This setting lock out the user Setting
'PASSWORD_LOCK_TIME' after a given period of 'PASSWORD_LOCK_TIME'
is greater than or inactivity or idle time. The for each PROFILE to
Equal to '1' user will need to input value ‘1’ or in line with
his/her password to access password policy
the account. requirement of the
organization. The
following script could be
used to effect the
setting.
ALTER PROFILE
<profile_name> LIMIT
PASSWORD_LOCK_TIME
1;
31 Ensure This is the password ageing Set
'PASSWORD_LIFE_TIME' parameter, which is used to 'PASSWORD_LIFE_TIME' to
Is Less than or determine the life time of a less than or equal to
Equal to '90' selected password. This is a value ‘90’ or applicable
risk of successful brute force to the password policy
login attack if password of the organization. Run
does not expire. The value the following script to
to set should depend on the effect the setting.
password policy
requirement of the ALTER PROFILE
organization. <profile_name> LIMIT
Page 260 of 296
S/N Test Procedure Risk Implication Recommendation
PASSWORD_LIFE_TIME 90;
Please note that the following will also be require, however the commands/files are
required to be extracted/executed at the operating system level.
· Open SQL Server Configuration Manager; go to the SQL Server Network
Configuration. (print screen).
· Powershell (PS) C:\>Get-WmiObject -Class Win32_Service
· Print screen showing tracelog file in the OS.
· Print screen showing schedule backup settings.
1. Ensure that ‘Ad Hoc This feature if not disabled Disable ‘Adhoc
Distributed Queries’ could be used to remotely distribution queries’ on
option are disabled on access and exploit MSSQL Server.
MSSQL Server. This is vulnerabilities on remote
because it allows users SQL Server instances. It be
to query data and used to run unsafe
execute statements on application functions.
external data sources.
2 Ensure that CLR Allowing the use of CLR Disable CLR assemblies
assemblies is disabled on assemblies increases the on MSSQL Server.
MSSQL Server instance. attack surface of SQL Server
and puts it at risk of
malicious assemblies.
3 Ensure the db_owner If this option is not disabled, Disable db_owner role
role is disabled on the a member of the db_owner on the database or
database instance as it role in given database can obtain management
permits cross-database gain access to objects approval to accept its
ownership chaining in owned by a user/account use as a residual risk if
SQL server instance. in another database, which needed.
is excessive disclosure of
information
4 Ensure that database Allowing this feature Disable database
mailing in MSSQL Server (database mail) increase mailing feature on the
is disabled. the SQL Server attack SQL server instance.
surface and make the
database vulnerable to
DOS attacks and data theft
from database server to a
remote host.
5 Ensure that extended Allowing extended stored Disable extended stored
stored procedures (‘Ole procedures increases the procedures on the SQL
Automation attack surface of the SQL database server
Procedure’), which Server database as users instance.
allows SQL Server users could execute functions in
to execute functions SQL Server without any
that is external to SQL restriction.
Server is disabled.
Infrastructure
PowerCLI command:
4. Graceful / clean
shutdown or restart of Guest
OS to prevent data
corruption is not possible
without VMware tools.
3. Vcenter backup
should be done.
28 Ensure there is no disparity or Inability of the Disaster Capacity of the
gap in the capacity of recovery site to support infrastructure at the
primary processing facility all applications and Disaster recovery (DR)
Infrastructure compared to services adequately in site should be
the infrastructure in the the event of a disaster upgraded to match
Disaster Recovery/alternate at the primary the capacity at the
processing Site. processing site as a main processing
result of capacity issues. facility
4. Treatment of Email
alarms sent in
response to changing
infrastructure
capacity challenges.
2. Auditing Your Windows Infrastructure, Intranet and Internet Security: A Practical Audit
Program for IT Assurance Professionals