Auditing Your Information Systems and IT Infrastructurereprint

Page 1 of 296
This page intentionally left blank
Page 2 of 296
Auditing Your Information Systems and IT
Infrastructure
Practical Audit Programs/Checklists for Internal Auditors
By
Nwabueze Ohia
Page 3 of 296
Discover Other Titles by Nwabueze Ohia
1. Auditing your Payment Cards Processes, Systems and Applications: A Step by Step
PCIDSS Compliant Audit Program
2. Auditing Your Windows Infrastructure, Intranet and Internet Security: A Practical Audit
Program for IT Assurance Professionals
3. IT Infrastructure Risk & Vulnerability Library: A Consolidated Register of Operational and

Technology Infrastructure Vulnerabilities for IT Assurance Professionals
Page 4 of 296
Editor: Nwabueze Ohia
Designer: Nwabueze Ohia
Copyright © 2017 Nwabueze Ohia. All rights reserved
This Book is licensed for your personal enjoyment only. This Book may not be re-sold or
given away to other people. If you would like to share this book with another person,
please purchase an additional copy for each recipient. If you’re reading this book and
did not purchase it, or it was not purchased for your use only, then please return to your
favourite Book retailer and purchase your own copy. Thank you for respecting the hard
work of this author.
No part of this publication may be reproduced, stored in a retrieval system or transmitted

in any form or by any means electronic, mechanical, photocopying, recording or
otherwise without the prior written permission of the copyright owner.
Permissions may be sought directly from the author on Phone number: +234(0)803 757
4700; email: info@oxleyconsults.com.ng. Alternatively, you may submit your request online
by visiting the Oxley Technologies Inc. website at http://oxleyconsults.com.ng/contact-us/,
and we will get back to you.
Notices
Knowledge and best practices in the field of information and technology security are
constantly evolving. As new risk and vulnerabilities emerge, changes in research methods
and broader experiences are required to contain the threats to system and human
security. It is therefore expedient for professional practices to rise to the challenges and
threats pose by information security risk and vulnerabilities.
Practitioners and researchers in this industry must always rely on strong personal judgment
and experience in evaluating and applying information and methods being acquired
from this book while also exercising professional due care and caution to ensure their
safety and those of others, as well as parties for whom their owe professional responsibility.
To the fullest extent of the law, neither the Publisher nor the author(s), contributors, or
editors, assume any responsibility for any injury and/or damage to persons or property as a
matter of products liability, negligence or otherwise, or from any use or operation of any
methods, procedures, products, instructions, or ideas contained in the material herein.
For information on all Oxley Technologies Inc.

publications and materials, visit our web site at
http://oxleyconsults.com.ng/
Page 5 of 296
Page 6 of 296
Booking
For trainings and capacity building sessions, conferences/seminars and public speaking
opportunities as well as consulting engagements on subjects/topics/areas covered in this
book or others books by the author, you can contact Nwabueze Ohia directly on phone
number +234-8037574700 or email address nwabueze.ohia@oxleyconsults.com.ng for
further discussions.
For full list of trainings offered by the author, visiting http://oxleyconsults.com.ng/training/
Page 7 of 296
Your feedback is invaluable to us
If you recently bought this book, we would love to hear from you! You can write a review
on amazon (or the online store where you purchased this book) about your last order! If
you bought this book from our website at http://oxleyconsults.com.ng/, we will appreciate
if you leave a review on our website! We will love to hear real client experiences and
feedback as part of our continual service improvement process.
How does it work?

To post a review on Amazon, just log into your account and click on the Create Your Own
Review button (under Customer Reviews) of the relevant product page. You can find
examples of product reviews in Amazon. If you purchased from another outlets/online
store, simply follow their procedures.
Once you have submitted your review, send us an email at info@oxleyconsults.com.ng

with the link to your review so we can properly thank you/appreciate your feedback.
Page 8 of 296
CONTENTS AT A GLANCE
Part I Audit Overview

Chapter 1 Effectiveness of the Internal Audit Function
Chapter 2 The Audit Process
Part II IT Systems, Processes and Infrastructure Audit

Chapter 3 Audit of Data Centers
Chapter 4 Audit of Business Continuity and Disaster Recovery
Chapter 5 Audit of Business Process Re-engineering (BPR) and Automation
)
Chapter 6 Audit of Governance of Enterprise IT
Chapter 7 Audit of Physical and Environment Security
Chapter 8 Audit of Windows Infrastructure, Intranet and Internet Security
Chapter 9 Audit of Financial Technology Applications and Payment Applications
(Online Banking and Payment Apps)
Chapter 10 Audit of Unix and Linux Operating System Infrastructure
Chapter 11 Audit of Core Banking Applications (Finacle, Flexcube and Phoenix)
Chapter 12 Audit of Payment Cards (Debit, Credit & Prepaid) Processes, Systems and
Applications – PCI DSS Compliance
Chapter 13 Audit of Employee Information System
Chapter 14 Audit of Perimeter Network Security
Chapter 15 Audit of Database Security
Chapter 16 Audit of Virtualized Infrastructure
Page 9 of 296
TABLE OF CONTENTS
About the Author
Preface by Nwabueze Ohia
Part I Audit Overview ----------------------------------------------------------------------------------21

Chapter 1 The Internal Audit Function -----------------------------------------------------------------23
Effectiveness of the Internal Audit Function ------------------------------------------25
The Mandate ------------------------------------------------------------------------------------27
Consulting and Pre-Audit Planning Engagements ---------------------------------28
Information Gathering --------------------------------------------------------------27
Risk Assessment ------------------------------------------------------------------------28
Business Pain Points Identification -----------------------------------------------29
Resource Budgeting ---------------------------------------------------------------------------29
The IT Audit Team -------------------------------------------------------------------------------30
Composition ----------------------------------------------------------------------------30
Competence of IT Audit Team ---------------------------------------------------31
Data Preparation and Analysis ---------------------------------------------------31
Onsite and Offsite Activities --------------------------------------------------------31
Partnering with the Audit Client ------------------------------------------------------------32
Chapter 2 The Audit Process -------------------------------------------------------------------------------34

Planning ----------------------------------------------------------------------------------35
Execution --------------------------------------------------------------------------------35
Reporting --------------------------------------------------------------------------------36
Grading/Rating -----------------------------------------------------------------------37
Corrective Actions and Remediation -----------------------------------------38
Follow Up/Issue Tracking -----------------------------------------------------------38
Determining the Audit Universe -----------------------------------------------------------39
Determining the Audit Type ----------------------------------------------------------------39
Full Audit ---------------------------------------------------------------------------------40
Spot-checks ----------------------------------------------------------------------------40
Follow Up Audit -----------------------------------------------------------------------40
Investigation and Special Audit -------------------------------------------------40
Effective auditing through audit automation (audit management software) ----41
Page 10 of 296
Part II IT Systems, Processes and Infrastructure Audit -----------------------------------------------42
Chapter 3 Audit of Data Centers ----------------------------------------------------------------------46

Data Center Audit Program --------------------------------------------------------------47
Data Center Checklist ----------------------------------------------------------------------47
Organization and Administration of the Data Center -----------------47
Environmental Controls -----------------------------------------------------------53
Monitoring and Surveillance Controls ---------------------------------------55
Physical and Logical Access Controls to the Data Center ----------58
Data Backup and Restoration -------------------------------------------------60
Chapter 4 Audit of Business Continuity and Disaster Recovery -----------------------------62

Audit Program for Business Continuity and Disaster Recovery
Management ---------------------------------------------------------------------------------63
Audit Checklist for Business Continuity and Disaster Recovery --------------64
Business Continuity Readiness -------------------------------------------------64
Disaster Recovery (DR) Site -----------------------------------------------------68
DR Data Center Controls --------------------------------------------------------72
Chapter 5 Audit of Business Process Re-engineering (BPR) and Automation ----------75

Business Process Re-engineering (BPR) Audit Program --------------------------76
Business Process Re-engineering (BPR) Audit Checklist -------------------------77
Procedures and Standards ------------------------------------------------------77
System Development --------------------------------------------------------------77
System Testing ------------------------------------------------------------------------78
Change Management -----------------------------------------------------------78
Access Controls ---------------------------------------------------------------------79
Documentation ---------------------------------------------------------------------80
Code Review and Vulnerability Assessment/Management --------82
Chapter 6 Audit of Governance of Enterprise IT -------------------------------------------------83

IT Governance Basics ----------------------------------------------------------------------84
Information Technology Governance and Strategic Planning ---85
Information Systems Strategy --------------------------------------------------86
Information Security Management ------------------------------------------86
Information Risk Management ------------------------------------------------87
Page 11 of 296
Performance Management ----------------------------------------------------87
IT Governance Audit Program ----------------------------------------------------------88
IT Governance Audit Checklist ----------------------------------------------------------89
Chapter 7 Audit of Physical and Environment Security ----------------------------------------90

Physical and Environment Security Audit Program ------------------------------91
Physical and Environment Security Audit Checklist ------------------------------92
Physical Security Administration (Premises and Restricted Areas) 92
Entry Control Systems (Biometric, Smartcard and Locks)
Management ------------------------------------------------------------------------95
Security Surveillance (CCTV System) ----------------------------------------96
Safety Procedures and Environmental Controls -----------------------103
Chapter 8 Audit of Windows Infrastructure, Intranet and Internet Security -----------109

Audit Program of Windows Infrastructure, Intranet and Internet
Security -----------------------------------------------------------------------------------------110
Audit Checklist of Windows Infrastructure, Intranet and Internet
Security -----------------------------------------------------------------------------------------112
Policies, Procedures and Administration ---------------------------------112
Change Management ---------------------------------------------------------113
Security Administration ----------------------------------------------------------115
Log Management ----------------------------------------------------------------120
Logical Access Controls --------------------------------------------------------120
Business Continuity, Disaster Recovery and Backups ----------------124
Vulnerability Management ----------------------------------------------------126
Active Directory/Domain Controller Server Controls -----------------128
Endpoint Management and Data Loss Prevention (DLP) ----------138
Chapter 9 Audit of Financial Technology and Electronic Payment Applications (Online

Banking and Payment Apps) ----------------------------------------------------------144
Audit Program for Audit of Financial Technology and Electronic Payment
Applications ----------------------------------------------------------------------------------145
Audit Checklist for Audit of Financial Technology and Electronic Payment
Applications ----------------------------------------------------------------------------------147
Policies and Procedures --------------------------------------------------------147
Review of Third Party Service Level Agreements (SLAs) ------------147
Page 12 of 296
Logical Access Controls -------------------------------------------------------147
Application Controls ------------------------------------------------------------151
Database Controls --------------------------------------------------------------153
Operating System Controls ---------------------------------------------------156
Redundancy and Data Backup --------------------------------------------156
Log Management ----------------------------------------------------------------157
Chapter 10 Audit of Unix and Linux Operating System Infrastructure ---------------------158

Audit Program for Unix and Linux Operating System Infrastructure -------159
Audit Checklist for Unix and Linux Operating System Infrastructure ------160
Organization and Administration -------------------------------------------160
Installation Audit -------------------------------------------------------------------162
Operating Policies and Procedures ----------------------------------------162
System and Security Administration ----------------------------------------163
Account Security (Logical Access Controls) ----------------------------168
Password Management Controls -------------------------------------------169
File Permission and Security Controls --------------------------------------171
Network Security Controls -----------------------------------------------------171
Chapter 11 Audit of Core Banking Applications (Finacle, Flexcube and Phoenix) -173
Audit Program for Core Banking Applications ----------------------------------174
Audit Checklist for Core Banking Applications ----------------------------------175
Policies and Standard Operating Procedure --------------------------175
Segregation of Duties and Maker/Checker Controls ---------------175
Application Controls ------------------------------------------------------------176
Change Management --------------------------------------------------------181
Business Continuity and Disaster Recovery -----------------------------183
Data Backup and Redundancy --------------------------------------------184
Security Administration ---------------------------------------------------------186
User Access Management ----------------------------------------------------189
System Monitoring and Audit Trail ------------------------------------------190
Applications – PCI DSS Compliance -------------------------------------------------192
Audit Program for Payment Card Environment ---------------------------------193
Audit Checklist for Payment Card Environment ---------------------------------195
Page 13 of 296
Organization and administration --------------------------------------------195
Application Controls -------------------------------------------------------------196
Database Controls ---------------------------------------------------------------199
Redundancy and data backup --------------------------------------------200
Vendor Management -----------------------------------------------------------202
Credit Card Portfolio Management ----------------------------------------203
Encryption Key Management ------------------------------------------------204
Network Controls ------------------------------------------------------------------209
Vulnerability Assessment --------------------------------------------------------212
Operating System Controls ----------------------------------------------------213
Cards Operations, Personalization and Issuance (Debit
and Credit) --------------------------------------------------------------------------215
Chapter 13 Audit of Employee/Human Resources Information Systems -----------------220

Audit Program for Employee/Human Resources Information System ----221
Audit Checklist for Employee/Human Resources Information System ----222
Onboarding and Exit Process --------------------------------------------------222
Human Resources Organization and Administration -----------------225
Human Resources Application System (HR Software) ----------------227
Data Backup and Redundancy for HR Application ------------------233
Chapter 14 Audit of Perimeter Network Security --------------------------------------------------234

Audit Checklist for Perimeter Network Security -------------------------235
Network Logical Access Controls ----------------------------------235
Network Remote Access Controls ---------------------------------236
Firewall Security Controls ----------------------------------------------238
Chapter 15 Audit of Database Security --------------------------------------------------------------244

Oracle Database Audit Requirements ------------------------------------245
Oracle Database Audit Checklist -------------------------------------------246
Microsoft SQL Server Database Audit Requirements -----------------262
Microsoft SQL Server Database Audit Checklist ------------------------263
Chapter 16 Audit of Virtualized Infrastructure ------------------------------------------------------271

Audit Checklist of Virtual Infrastructure ------------------------------------272
Discover Other Titles By The Author -----------------------------------------------------------------------291
Page 14 of 296
Connect with Nwabueze Ohia ---------------------------------------------------------------------------- 292
Page 15 of 296
About the Author
A Certified Information Systems Auditor (CISA), Certified Lead Auditor for ISO 27001
(Information Security Management System), ISO 22301 (Business Continuity Management
System), ISO 20000 (IT Service Management System) and ISO 27032 (Lead Cyber Security
Manager), Nwabueze Ohia is a seasoned information risk assurance and cybersecurity
expert with over 13 years’ industry experience in IT consulting, IT audit, internal
control/audit and information risk assurance. With bulk of his experience in the banking
and financial institution space, Nwabueze have performed roles such as IS/IT Auditor,
Information Security Analyst, IT Forensics/Fraud Investigator, IT Risk Analyst, System Control
Analyst, among others, in the course of his professional life. His core strength/competences
are in Information systems & technical Infrastructure auditing, IT risk assessment, cyber
threat intelligence & analysis, security architecture & engineering (networks and operating
systems), electronic fraud & forensic investigation, software engineering & web
application development, data analytics and revenue assurance, among others.
Given his strong auditing and information risk assurance background, he has developed
series of audit work programs, checklists, risk assessment templates and information
security programs, which professionals have recognized as valuable resources for
information risk and security assurance. This is due to their conformance to
standards/frameworks issued by professional bodies such as institute of Internal Auditors
(IIA), Information Systems & Control Association (ISACA), International Information System
Security Certification Consortium (ISC2), National Institute for Standards & Technology (NIST
Risk Management & Cybersecurity framework) and Center for Internet Security (CIS). His
Books, articles, best practice guides and web content are hands-on (do-it-yourself guide)
and have assisted practitioners within Nigeria, Sub-Sahara Africa and beyond in
addressing information risk and security concerns in the ever changing and dynamic IT
environment. Beyond the financial services sector, practitioners in other sectors such as
insurance, telecommunication, web hosting, Internet service providers, SaaS, cloud
service provider, distribution & supply chain management, shipping, oil & gas, have
leveraged content produced by Nwabueze to excel in their endeavors.
Page 16 of 296
Nwabueze Ohia is a seasoned trainer and public speaker and operate the website
(http://oxleyconsults.com.ng) where all his books and materials are published. He has
published four books to his credit, which are available on Amazon Kindle Book store as
well as other major eBook reading and distribution platforms worldwide. He holds a Higher
National Diploma (HND) in Electrical/Electronics Engineering (Telecommunications) from
Federal Polytechnic Nekede Owerri, a Bachelor of Technology (B. Tech) degree in
Information Management Technology (IMT) and recently completed Master of Science
Degree (MSc) in Information Management Technology (IMT) from Federal University of
Technology Owerri, Imo State.
Nwabueze Ohia is passionate about giving back to the society and the knowledgebase
of his chosen profession, having greatly been enriched by same. He has demonstrated this
passion through several writeups, articles, best practice guides and professional papers
published via his website and other outlets. He finds joy and fulfillment in extending helping
hands to the needy and the downtrodden of our society. His hobbies are traveling round
the world, soccer, tennis and web application development/programming. Born in 1983 to
Nigerian parents from the Eastern part of the country, he is happily married with two
children.
Page 17 of 296
Page 18 of 296
Preface
By Nwabueze Ohia
Assuring the Security of Your Information Systems and IT Infrastructures (IT Audit and
Internal Audit)
This edition has been updated to cover virtually all areas of information systems and IT
infrastructure. “Auditing Your Information Systems and IT Infrastructure: Practical Audit
Programs/Checklists for Internal Auditors”, serves as a reference handbook for IT Auditors
and other IT assurance professionals on how to use latest IT auditing techniques and
programs to provide assurance on the security of enterprise information systems and IT
infrastructure. New chapters on perimeter network security, database security and
virtualized infrastructure are included. The book describes leading practices in internal
audit and how the internal audit/IT audit function can effectively meet stakeholders’
expectations and add value the business while maintaining its independence. Details on
how to conduct specific audits of IT processes, services, systems or infrastructures were
provided with hands-on checklists and audit test procedures. The following areas of
information systems, processes and IT infrastructures are covered.
· Leading practices in internal audit function

· Data center
· Business continuity management and disaster recovery management
· Business process re-engineering (BPR) and automation function
· IT governance and strategic planning
· Physical and environmental security
· Windows infrastructure, intranet and internet security
· Financial Technology (Fintech) and Electronic Payment Applications
· UNIX operating system infrastructure (IBM AIX & Oracle UNIX)
· Core banking application (Finacle, Flexcube and Phoenix)
· Payment card (debit, credit & prepaid) processes, systems and applications –
PCIDSS Compliance
· Employee (Human Resources) Information Systems
· Perimeter Network Security
· Database security (Oracle and Microsoft SQL Server Database)
· Virtualized infrastructure
Intended for IT Auditors and other Assurance professionals that are desirous of improving
their auditing skills or organizations that are performing risk and control self-assessment
(RCSA) exercise from the ground up.
What You Will Learn and Benefit:
Page 19 of 296
· Build or improve your auditing and control testing techniques/skills by knowing what
to look out for and how to verify the existence and adequacy of controls.
· Acquire hands-on audit programs/checklists to be used for auditing your core IT
systems and infrastructure, which can easily be applied in your environment.
· Prepare for and pass management system certification audits such as PCI-DSS, ISO
27001, ISO 2230, ISO 20000 and ISO 90001.
· Audit programs/checklists from this book can easily be integrated into standard
audit software such as Teammates or MKInsight as they share similar templates.
· Expand the scope of your audit testing to cover more areas of concerns or risk
exposures.
· Strengthen your organization’s internal audit process and control testing, a benefit
from an expanded risk/vulnerability register.
· Rejuvenate the risk management effective and information security program of
your organization, having an improved perspective of inherent risk/vulnerabilities of
your IT infrastructure as well as a robust and realistic vulnerability/risk register.
· Risk mitigate and treatment plan.
Who This Book Is For:

IT professionals moving into auditing field; new IT Audit Managers, Directors, Vice
Presidents, and would-be Chief Audit Executives (CAEs) and Chief Information Security
Officers (CISOs); Security Specialists from other disciplines moving into information risk and
security assurance (e.g., former military security professionals, law enforcement
professionals, physical security professionals); and information risk and security specialists
(e.g. IT Security Managers, IT Risk Managers, IT Control Analyst, Security Engineers/Directors,
CIOs, CTOs, COO).
Page 20 of 296
Page 21 of 296
PART 1
AUDIT OVERVIEW
Chapter 1 The Internal Audit Function
Chapter 2 The Audit Process
Page 22 of 296
CHAPTER – 1 The Internal Audit Function
Page 23 of 296
The Internal Audit Function
The fundamental role of internal audit function is to provide independent assurance on
the effectiveness and adequacy of internal control system, risk management and
governance of an organization. This assurance is provided to the key stakeholders of an
organization, which are the board audit committee (BOA) and executive management.
Internal audit function is required by laws of most countries and regulatory authorities of
most industries to be in place. In practically every business, internal audit function is
required to give feedback to key stakeholders that business objectives will be realized and
internal control system are working as expected. In highly regulated industries such as
financial services (banks, insurance companies, investment and capital firm, credit unions,
payment card firms), oil and gas, telecoms, media, consumer goods and other service
industries, internal audit is a must and a minimum requirement for issuance of operating
licenses.
However, for businesses that wish to ensure good corporate governance and
professionalism as part of its organizational culture, establishing an internal audit function is
a requirement that cannot be waived. Therefore, one of the indices of determining a
healthy and well-run organization is the entrenchment of an independent internal audit
department with clear authority from the highest decision making arm of the organization
(Board of Directors). These are usually what investors look out for in determining where to
invest in a company for safety if its funds and good returns on investment. Experience has
also shown that organizations with good internal control system, risk management culture
and internal audit practice enjoy good patronage from customers and investors alike as
nobody will invest its resources in a business with poor corporate governance and weak
internal controls. As such, investors always look at the financial statement or report of a
company they intend to invest in for independent opinion of auditors on the affairs of the
company.
Internal audit provides independent, objective assurance and consulting activity

designed to add value and improve an organization's operations. It helps an organization
in realizing its objectives by bringing a systematic, disciplined approach to evaluating and
improving the effectiveness of internal control, risk management and governance
processes.
Page 24 of 296
Effectiveness of the Internal Audit Function
The internal audit function is said to be effective when it provides reasonable assurance to
stakeholders of an organization (Board Audit Committee, Executive Management,
Shareholders or Customers) that management established internal controls (operational
controls, IT controls, market or business controls, risk management, etc.) are working
optimally and meet the needs and expectations of stakeholders. In doing so, the audit
function most use a methodology that sufficiently test these controls and provide
measurable metrics of its adequacy and effectiveness.
In answering the effectiveness question, the following should be considered.
1. The internal audit charter and mission: This is where the internal audit function
derives its authority and independence. Has the internal audit function been
effectively empowered by Board Audit Committee (BAC) and Executive
Management to perform its duties and has its independence, objectivity and
reporting lines been clearly established and defined?
2. Applicable laws and regulations: Here laws and regulations guiding the industry or
sector/segment where the organization conducts its business activities must be
identified and complied with throughout the organizations. As such, the
organization/business must establish internal policies, procedures and controls to
ensure strict compliance with applicable laws and regulations within its operating
environment.
3. Audit strategies and plans: The audit function should document/establish strategies
and plans on how it intends to carry out its statutory functions and exercise
mandates given to it by the Board Audit Committee. In doing so, it must put
forward a realistic, effective and risk-based audit strategies and plans on how to
provide that reasonable assurance to BOA and other stakeholders on the
effectiveness and adequacy of internal controls established by management to
ensure realization of business/corporate objectives.
It is important to note that measurement of effectiveness and efficiency of the internal

audit function can be both quantitative and qualitative. This is where obtaining regular
independent feedback from key stakeholders on the effectiveness of internal audit
functions and how its activities create value for stakeholders is important while adjustments
are made where needed.
Page 25 of 296
In determining the effectiveness of the internal audit function, below are some of the
metrics identified to help in measuring how effective or otherwise the internal audit
function is and what forms the opinion of key stakeholders in that direction.
1. Audit plan coverage (audits performed as against audit plan).

2. Quality of audit findings/observations.
3. Improvements due to implemented recommendations.
4. Revenue assurance and Cost savings initiatives (income losses recovered,
duplicate payments and vendor overpayment detected).
5. Potential fraud prevented.
6. Savings on internal audit budget.
7. Quality Assurance Review
Metric 1: Percentage of planned audit completed is a good way of measuring the

efficiency of the internal audit function but does not tell the whole story about its
effectiveness. Where the audit plan is not risk based, achieving high percentage of the
audit plan does not amount to the internal audit function being effective rather it only
shows the activities of the internal audit function, which may not meet the strategic needs
of the organization as well as its stakeholders. Yes, achieving high audit plan coverage is
laudable if the audit function has the resource to achieve such fit and the audit plan
abinitio, was based on the strategic needs of the organization and emerging risk and
control issues faced by the organization were duly considered. The audit function must
also be dynamic in its planning to accommodate such demands as special reviews, spot
checks, compliance checks and investigative reviews that may be required of it by the
Board Audit Committee and Management of the organization in response to emerging
risk, loss events and other incidents that pose a threat to the organization in the course of
the fiscal year.
Metric 2: Quality of audit findings/observations made by the internal audit function is

important to the key stakeholders and demonstrates that internal audit is on top of the key
risks issues and business pain points facing the organization whose impact would have
been on the business had they not been raised/reported. So, the attention is on the
quality of discoveries made during audits that could impact on the organization’s bottom-
line and its ability to effectively discharge its obligations to stakeholders. For example,
number of potential frauds averted, number of material misstatements discovered or
number of process improvements introduced into the system as a result of audit
assessment. It is also important for the internal auditors to investigation and ascertain the
root causes of the issues discovered to enable management address them rather than
throwing effort or resources at the issues and as such, will ensure the issue doesn’t repeat in
the future. An effective internal audit function, over time leads to maturity in governance,
Page 26 of 296
internal control systems and risk management as the iterative process of internal audit
contribute to process improvement.
Metrics 3: Improvements due to implemented recommendations is an important measure

of effectiveness of the audit function. The internal audit function should monitor the
number of recommended controls and their implementation as unimplemented
recommendations can be very problematic and could create control gaps for the
organization irrespective of how few they might be. Where recommended controls were
not implemented, it could also mean that some of the recommended controls and
countermeasure are not feasible and implementable and as such, will not add any value
to the business if pursued. This speaks to the effectiveness of the audit assessment and its
ability to understand and diagnose the business risk, challenges and controls, their root
causes and how it delivers value through its assessment.
Metric 4: One of the crucial measures of the effectiveness of the audit function is its ability
to plug income leakages, wastages and financial improprieties. As such, management
must be seen to be prudent in the deployment of organization’s resources for its good and
ensure optimization of resources available to it. In doing so, the internal audit function must
ensure that revenue assurance and cost savings/optimization initiatives form part of its
control testing or assessment. While introducing and implemented cost saving initiatives
during audits, it is important that adequate resources are provided to the audit team for
field work activities rather than starve them of funds needed to do the job in the name of
cost containment. This has led to some organization failing to focus attention on critical risk
areas such as governance issues, poor decision making, ineffective risk management and
poor control environment while trying to save cost.
Metrics 5: Staying within audit budget shows efficient management of internal audit
resources, which is good but the audit function should not be afraid to go the Board Audit
Committee or Executive Management to ask for more funds that it requires to meet needs
of emerging risk that were not initially anticipated in the planning stages of its activities. As
such, resource limitation should not be enough excuse for failing to take on and address
risk areas that were not initially anticipated in the planning stages of the audit.
Metrics 6: The internal audit function while conducting its activities should be able to
identify loopholes and vulnerabilities in systems, processes and technologies that have the
potential to be exploited for by internal and external parties to defraud the organization or
perform malicious activities that could harm or damage the reputation of the
organization.
Page 27 of 296
The Mandate
Internal audit play a pivotal role within the organization in ensuring its success and
realization of its business objectives by providing the executive management and the
board audit committee information and objective assurance on internal control system,
risk management and governance. To ensure effectiveness of the internal audit function,
the mandate of the internal audit department must be clearly defined, agreed by
stakeholders and approved by the organization’s Board of Directors.
The Board Audit Committee and Executive Management who are the key stakeholders in
every organization are to ensure that the internal audit function are empowered and
have sufficient authority to effectively discharge its duties. Therefore, the internal audit
function must derive its authority from the board audit committee and management of
the organization. Where sufficient mandate has been given to the internal audit function,
resources required to fulfil the mandate flows naturally. This is not the case where mandate
is incomplete, which will always lead to inadequate resourcing of the function.
The authority of the internal audit function is documented in its internal audit charter. The
internal audit charter stipulates the role of the internal audit function within the
organization, the structure of the department and reporting line through the management
to the Board of Directors who are the highest decision making arm within the organization.
In determining its role, discussions are usually held among members of executive
management and the board audit committee to scope what services should be provided
and priorities of the internal audit function. The roles, responsibilities, authorities and
reporting lines of the internal audit function are defined primarily to support the board
audit committee in discharging its duties. As such, it is best practice to review the board
audit committee charter alongside the internal audit charter on annual basis to ensure
synchronization and relevance.
The mission and scope of work for the department should be defined, accountability of
the Chief Audit Executive (CAE) must be determined while the independence of the
internal audit function must be guaranteed by the management and the board audit
committee. The charter should be clear on who the CAE reports to and responsible for
while a statement about auditor’s open and free access to information across the
organization should be included in the charter to aid the department in the effective
discharge of its duties. The standard of practice adopted by the internal audit department
should be included in the charter to underscore the department’s compliance with best
practice and acceptable framework for internal audit practice. In most cases,
International Standards for the Professional Practice of Internal Auditing, as promulgated
by the Institute of Internal Auditors (IIA) are usually adopted.
Page 28 of 296
Consulting and Pre-Audit Planning Engagements
Consulting and pre-audit engagements with the audit clients by the Audit team is vital to
the successful delivery of the audit. Once the audit area has been determined, the audit
team need to engage the audit client to properly scope the audit and agree on the
requirements. For new audit areas that has not been previously audited, this exercise is
important to enable the audit team understand the business requirements of client, the risk
inherent in the business and operational processes as well as business pain points that is
militating against the achievement of business objectives and deliverables. This also
applies for areas that have been previously auditing by the internal audit department.
Pre-audit engagement will require undertaking the following task.
1. Information Gathering
2. Risk Assessment
3. Business Pain Points Identification
Information Gathering
Information gathering before the audit is essential in gaining good understanding of the
audit client's business processes, objectives and risks. Request for information during audit
planning phase can come in the form of pre-audit checklist or questionnaire, although
questionnaires are not generally advisable as they are commonly tailored to expected
answer without any value adding or disclosure of vital information to aid audit planning
and execution. The pre-audit checklist can be used in gathering preliminary information
for proper scoping of the audit, identifying key business risks, determining areas requiring
more audit attention and communicating the data requirements of audit team.
Below are some of the information that could be requested by the audit team in
preparation for the audit.
1. Site plan showing buildings, perimeters and layouts.
2. Site guidelines stating any particular trainings and other access requirements.
3. Organization chart (Organograms).
4. Job descriptions for the various job roles available in the site.
5. Applicable laws and regulatory requirements.
6. Standard operating procedures, policies and manuals.
7. Business objectives and plans.
8. Key performance indicators (KPIs).
9. Most recent management review minutes of meetings
10. Training schedule/calendar and tracking sheet.
11. Leave schedule and tracking sheet.
Page 29 of 296
Information gathering may also involve generating certain reports or metrics independent
of the audit clients (i.e. without their knowledge) as doing so lends more credibility to the
accuracy of the information. For example, the audit team can use CAAT (Computer
Assisted Audit Techniques) tools like Audit Command Language (ACL) or IDEA to generate
reports such as access control list, audit trail/log, transaction reports, defined exception
reports, etc. for further analysis. This will give the audit team heads up on the nature of the
control environment and general view of compliance.
There could also be need to schedule a meeting with the audit client representatives to
enable the audit team understand the operating environment.
Risk Assessment
Risk assessment is a systematic technique used in evaluating risk inherent in a process,
system or activity with a view to mitigating their impact. In an organization that have an
entrenched enterprise risk management framework or process, the responsibilities for risk
identification, assessment, treatment, mitigation and monitoring are well defined. As such
it is the duty of the audit team to obtain the risk assessment result of the area to be
audited to gain good understand of the risk inherent in the process areas, which will aid in
the channeling of audit effort and resources. Result of risk identification and assessment
are documented in the risk register of the organization.
Having a prior understanding of the risks inherent in a given audit area, controls
implemented to mitigate them and residual risk in place after control implementation
helps the internal audit function in conducting a risk-based audit. In documenting the risk,
their severity/impact would have been determined in terms of assigning a weighted score
(ranking or rating) to them in line with the risk management framework adopted by the
organization’s risk function if applicable. This will help the audit team in performing risk-
based audit by determining areas to pay more attention to than the others due to their
risk rating.
Internal audit responsibilities are usually made easier where an effective risk function is in
place as all that is required is to obtain risk assessment results of the subject area to be
audit from relevant stakeholders and use same in planning and execution of the audit.
However, the opposite in the case for situations where there is non-existing or inadequate
risk management function in place in the organization. The internal audit function may
carry the risk management burden or suffer because its inadequacies. In which case, the
audit function must ensure that they present their opinion on the effectiveness or otherwise
of the risk management function to the board audit committee and executive
management whose responsibility it is to ensure the establishment and entrenchment of
risk management culture within an organization.
Page 30 of 296
Business Pain Point Identification
The essence of audit is providing assurance on the effectiveness of internal control system,
governance and risk management. Audit function is said to be adding value to the
business when management perceives that it is helping it in realizing business objectives
and creating value for stakeholders. There are several issues that could prevent the
business management from realizing business objectives, which are known as the business
pain points. These business pain points may or may not have been identified and properly
scoped. As such, it is the duty of the audit team during the pre-audit engagements to
request from the audit client some of its identified business pain points and challenges that
are preventing it from effectively discharging its duties. These business pain points might be
as a result of weak internal control systems, lack of risk management and governance
related challenges.
Hence, the audit team should determine if most or all the identified pain points could be
addressed through the audit or at best report same to management and board audit
committee for their action and intervention if not already known to them. To add value,
the audit team must have the business pain points and their root causes at the back of
their minds while conducting the audit to see how it can use the audit to improve or
address them. This process will be effective where the pain points have been obtained
and known to the audit team prior to kick starting the audit exercise.
Resource Budgeting
It has been argued that internal audit is a cost center based on accounting principles. This
is given that it does not generate income in the course of its activity but many have
contested these positions, which is understandable. However, it is undisputed that internal
audit adds value and saves the organization a lot of headaches and hassles that
sometimes cannot be tangibly quantified. To effectively discharge its responsibilities,
internal audit incurs a lot of cost, which are not limited to personnel cost, travel cost, fixed
asset cost, software cost, training cost, etc.
Internal audit department produces a budget in the beginning of every fiscal year
showing activities, projects and initiatives it intends to undertake, which it sends the board
audit committee and executive management for consideration and approval. To achieve
its assurance deliverables, the board audit committee and management must
demonstrate support to the internal audit department by ensuring that resources needed
for it to discharge its duties effectively and efficiently is provided.
Resources are budgeted based on the audit plan of the department. The audit budget
will not be concluded if the audit plan for the department is not in place. Resources
(personnel and financial) are allocated to each audit area based on what has been
Page 31 of 296
projected. The department can also budget for audit activity based on what was spent in
executing similar audits in the past. Audit funding is essentially one of the ways
management and the board audit committee demonstrate their support/backing for the
internal audit function. Internal audit department that is underfunded will most likely be
ineffective and inefficient as such will be evident in its performance.
The IT Audit Team

The IT audit team examines and evaluates an organization's information technology
infrastructure, policies and operations. Information technology audits are performed to
determine whether IT controls protect organization’s assets from risk of confidentiality,
ensure data integrity and alignment with the overall business goals of the organization. IT
auditors examine not only physical and environmental security controls, but also business
operations and financial controls that are enabled by information technology systems.
Given that the operations of companies and businesses in the 21st century are increasingly
computerized and dependent on technology, IT audits are performed to ensure
information technology-related controls and processes are working as expected. The
primary objectives of an IT audit team among others are:
· Evaluate the system and process controls in place that ensure the confidentiality,
integrity and available of company’s information assets and data.
· Ascertain the risks inherent in a company's information assets and operational
processes, and identify methods to mitigate or minimize those risks.
· Ensure that information management processes conform to relevant IT-related laws,
regulations, standards and internal policies.
· Confirm necessary governance over information systems, Information
technology infrastructure and personnel of a company.
· Ensure that IT systems and services will continue to be available and accessible to
the business in the event of disruption or emergency.
Composition
Best practice in auditing requires that an audit team include skills and expertise that cover
the area to be audited. The breadth of audit testing to be covered during the audit
makes it unlikely to find all the required expertise in single individual. Good combination of
skills (operational, technical, analytical, investigative, interpersonal, etc.) allows for more
effective and efficient coverage of the different functions, situations and workings within
an organization. The mixture of skills of several persons in the team helps minimize
ambiguity and therefore improves the consistency of audit conclusions.
IT audit team are largely composed of the audit team leader and at least two other
auditors who are chosen for specific skills and expertise that they will bring to the fore
during the audit. The number of the audit team will depend on the scope of work to be
done and the timeframe allocated for the audit activity.
Page 32 of 296
The following should be considered when assembling an audit team:
1. The audit scope, that is, extent of work to be done during the audit.
2. The objectives of the audit, that is, what the audit is meant to achieve, which will
determine the approach to be adopted.
3. The area of the organization to be audited, which will help in deciding what skills or
expertise are required to conduct the audit.
4. The availability and suitability of the audit team members.
Competence of IT Audit Team
Personal attributes
IT Auditors are expected to possess personal attributes such as:
a) High ethical standards, i.e. objectivity, fair, independent, honesty and discreet.
b) Open-minded, i.e. willing to consider alternative or divergent ideas or views.
c) Diplomatic, i.e. tactful in dealing with people.
d) Drive, i.e. alert, decisive, self-awareness, persistent, focused on achieving objective.
Data Preparation and Analysis

Data preparation and analysis is an important aspects of information system auditing,
which in most cases is a pre-audit activity. Depending on the area to be audited and its
scope, data analysis may be required to validate the integrity of transactions, customer
information or confidential business data. Data analysis may also be required for income
validation (i.e. revenue assurance) and fraud detection and trend analysis. It is important
that the IT audit team prepares data ahead of the audit engagement to enable it gain
traction and speed when the real audit starts. To gain access to the data required for the
audit, the audit team request access to the database where data of interest are stored.
Computer assisted audit tools (CAAT) such as ACL (audit command language) or IDEA
are commonly used to extract and analysis the data in a more efficient manner. First, the
CAAT tools are used to extract the data by establishing ODBC connection to the
database of interest. The data are exported to the CAAT tool where specified queries,
filters and logics are applied to make sense of the data and achieve a desired outcome.
Result of the analysis can be used to perform further audit testing or essentially confront
the audit clients for their explanation on observed anomaly or breach of business rules.
Onsite and Offsite Activities

Given the limited resources available to execute audits and the timeframe allocated to
undertake audit activity, it is largely impracticable to perform all planned activities and
Page 33 of 296
reviews that are scoped for an audit exercise. Essentially, the audit team are forced to limit
its audit samples to enable it meet up with delivery deadlines even when the audit
samples are grossly inadequate as such, making it difficult to do a good job and still meet
up with deadlines.
To overcome this, the audit team must plan better by identifying activities that will be
performed offsite (i.e. audit team’s location) and those that will be performed onsite (i.e.
in the audit client’s location). This will help in optimizing cost, increase efficiency, reduce
wastages and time required to perform an audit.
Some of the activities that could be perform offsite are as follows.
· Review of documents such as manuals, policies, operating procedures, standards,
regulations, minutes of meetings, etc.
· Data analysis.
· System audit log review.
· Logical access control review.
· Other reviews requiring system access (i.e. online review).
Other activities that cannot be performed offsite will then be performed onsite such as
interviews, process or system observation, walk-throughs, evidence examination, etc.
Partnering with the Audit Client

To ensure realization of corporate objectives including risk optimization, internal audit
should be viewed as partners of management rather than as “corporate police”. Fostering
good relationship with the audit client and by extension management will help in
identifying the real risks facing the business including control weaknesses and business pain
points that are preventing management from achieving its objectives. Conventionally,
internal auditors deal with activities/issues that will enable management meet financial,
regulatory and statutory compliance objectives. However, the new paradigm allows for
internal auditors to partner with management (audit client) to realize strategic and
business objectives by improving internal control systems, risk management and
governance.
Management should see internal audit as strategic partners beyond daily business as
usual. Such strategic partnership brings internal audit in the picture of business risks and
pain points confronting the management outside other regulatory and statutory issues
that fall within the purview of internal audit. Internal audit should be able to proffer
recommendations and advisory services that will close those gaps while maintaining its
independence.
Page 34 of 296
CHAPTER – 2 The Audit Process
Page 35 of 296
The Audit Process
IT audit process is the steps adopted by the IT audit team in performing their assurance
functions from conceptualization or initiation of the audit to its completion. The process to
be adopted by the IT audit or internal audit functions are usually documented in the
departments’ audit procedure manual. The process adopted for performing any IT audit
depends largely on the type and scope of such audit and the objectives to be realized.
However, for most audits, the process is largely similar and are listed as follows.
1. Planning
2. Execution
3. Reporting
4. Grading/Rating
5. Corrective actions and remediation
6. Follow up
Planning
At this stage, the internal audit department develops an annual audit plan, which is
reviewed by the Chief Audit Executive and approved by Management Committee and
Board Audit Committee (BAC). The audit plan consists of the strategy and methodology to
be adopted by the internal audit department in executing the plan. The audit universe as
well as the audit units are identified based on feedbacks from management and board
audit committee on the strategic direction of the organization. The various areas and
aspects of the organization to be audited is highlighted in the plan and scheduled based
on resources available to the department.
For a given audit area scheduled in the plan, the audit programme is prepared by the
audit Team Leader, which is approved by the Head of IS Audit Unit and the Chief Audit
Executive. However, a caveat is included to state that the audit programme is subject to
revision in accordance with changes in requirements, scope and schedule. In preparing
the audit programme, the IT audit team engages the auditee management to
understand their requirements and operating environment. Documents such as standard
operating procedures, applicable internal policies, regulatory and statutory requirements,
business pain points and Risk & Control Self-Assessment (RCSA) report of the audit client
are requested prior to the commencement of the audit. The audit team reviews these
documents to gain good understanding of the audit area, inherent risks, control issues and
operational challenges confronting the auditee. Based on the pre-audit assessment, the
Audit Team Leader defines the scope of the audit from risk perspective and according to
the resources and time available to it. The audit team are also at liberty to obtain, prepare
and analyze data needed to confirm the effectiveness and adequacy of controls. It is
recommended that data preparation and analysis are carried as pre-audit activity and
Page 36 of 296
done offsite to enable the audit team gain speed and traction when the fieldwork
commences so as not to struggle with limited resources and timeframe for execution.
From this audit programme, the Team Leader will prepare the respective audit plans,
which is communicated to the other team members and audit client. At this point, the
audit engagement notice/letter can be issued articulating the objectives, scope and
requirements for the audit. The plan may include the following among others.
· Audit objective and scope.
· Department/Section and responsible individuals in charge.
· Audit team members. The number of auditors depends on the size of the audit area
and complexity of the departmental functions to be audited.
· Date, place and time of the audit.
Opening meeting
Opening meeting, where deemed appropriate by the auditee management and Team
Leader, shall be held on the day of commencement of audit. The following may be
discussed during the opening meeting:
· The purpose and scope of the audit.
· Confirmation of the audit plan.
· Clarification of other matters such as requirements, audit approach,
documentation, rating/scoring method and consequence management should be
agreed before the audit kicks off.
Execution
This is where the real audit is performed. The auditors will perform the audit using one or
several checklists or audit working papers (AWP) that are described hereunder:
1. Internal Audit Checklist/Observation template – This contains audit test procedures
that are specific to the organizational unit to be audited. The assigned auditors are
to generate interview questions based on the test steps as they deem appropriate.
2. Management System (MS) Standard Checklist – This contain items or test
procedures relating to the requirements of the standards being audited such as ISO
27001 (ISMS), ISO 22301 (BCMS), ISO 20000 (ITSMS), ISO 9001 (QSM), COBIT 5
Assessment, etc.
Audit findings are collected through interviews of responsible persons, document

examination and observation of activities and processes in the areas being audit, which is
noted against each test procedures or steps performed in the audit checklists as
mentioned above. The auditors through its test of controls confirm the effectiveness of the
internal control system. Where the controls are inadequate or ineffective in addressing the
identified risks, the issues are noted for management attention and remediation.
Evidences suggesting non-conformities are noted depending on their significance or
Page 37 of 296
materiality, even though not covered by the checklist. Other objective evidence and/or
observations that may impact positively or negatively on the area being audited shall also
be listed on the space provided on the checklist.
The audit team must display high level of professionalism and due care in all their activities
and communicate to the auditee their expectations and concerns. Where conflict or
disagreement arises during the audit, the Audit Team Leader should engage the auditee
management and ensure that the issues are address amicably and areas of
disagreement sorted out with proper explanations. If the Audit Team Leader is not able to
resolve the conflict or disagreement amicably, such issue should be escalated to higher
authorities through his/her reporting lines.
Reporting
The principal product of the audit is the audit report in which audit opinions are expressed,
audit findings are presented, and recommendations for improvements are articulated. To
ensure that the recommendations presented in the final report are practicable and value
adding, the Internal Audit team discusses the draft with the audit client prior to issuing the
final report. The audit report can come in different formats depending on what has been
adopted by the internal audit department but there are generally accepted reporting
formats for audit report. Typically, the audit report generally consists of the following.
1. Cover memo
2. Executive summary
3. Full report
4. Rating sheeting
5. Consequence management
6. Appendices
Cover memo highlights the objectives and scope of the audit exercise, the distribution list
for the report (i.e. persons to receive the report). It is sent to the person responsible for
attending to the issues noted in the report as well as coordinating resolution of all audit
findings.
Executive summary highlights the high-level issue requiring management and board audit
committee’s attention. It is a summary of the audit findings with the most critical issues that
need to be communicated to management and board for action. It is writing in concise,
clear and non-technical language for ease of understanding for the audience.
The full report contains all issues noted during the audit in detail, the risk implications of
issues raised, auditee/management responses to the findings and recommendations
proffered by the auditors to close the identified gaps.
Page 38 of 296
Other documentations required to support the audit work and report are;
· Audit terms of reference (TOR)
· Audit working paper (AWP)
· Walk-through test document (WTD)
· Test of control (TOC)
· Issue summary (IS)
At the reporting stage of the audit, the audit team reviews and analyze the audit findings,
consolidate all findings into a single report as well as supporting documents, logs,
transaction reports into appendices, classify all findings in line with the department risk
scoring/rating criteria, prepare audit recommendations and the final audit report.
Audit finding should be supported by objective evidence. The Team Leader is responsible
for the consolidation all the audit findings and preparation of the audit report. The
auditors should follow professional code of conduct in the preparation of the reporting.
Grading and Rating

To effectively underscore the severity and impact of the audit findings to the business, the
internal audit department grades/rates each audit finding to in terms of the
impact/severity taking into cognizance the rating of the risk that resulted to the control
weakness. The department is also at liberty to adopt other forms of risk classification to
effectively communicate the impact of noted control weakness or failures. The following
classification method could be adopted.
· Major non-conformity: This pertains to a major deficiency in the control environment
or management system.
· Minor non-conformity – A minor deficiency meaning that one or more elements of
the control or management system is/are only partially complied with.
· Observation - An area of worry, a process, document or activity of concern, which
if not enhanced, result in a non-conforming system, product or service. Observation
shows potential risk of non-conformity.
· Opportunity for Improvement– A hint for improvement which may or may not be
implemented by the auditee.
· Positive findings (Conformity)– Findings that pertains to processes and/or systems
that go beyond what is being required of the standard.
There are several models or methodologies that can be adopted in determining the audit
rating or opinion of conformance of an audit area. Some school of thoughts or models
believe that each audit exception or non-conformity should be assigned a weighted
score (or %) based on their severity. For instance, 5% for critical severity, 4% for high
severity, 3 for medium severity, 2 for low severity, 1 for very low severity and 0 for effective
control. The applicable score for each exception or non-conformity are deducted from a
maximum score of 100 while the remain score after all deduction forms the final audit
Page 39 of 296
rating, which is usually banded for example, above 70% is low risk (Good rating), 30 to 60%
is medium risk (opportunity for improvement or average rating) and below 30% is high risk
(poor rating).
The best practice for audit rating requires that the various risk identified in each audit area
be rated rather than rating the controls/exceptions. The weighted score of each of the risk
associated with a given audit area determines the audit rating of process. Where the
control(s) implemented to mitigate each risk is either adequate or inadequate, the audit
team apportions a weighted score based on their opinion of control adequacy. Rating
guide that could be adopted are;
· Critical risk (very poor rating; 0 -20%)
· High risk (poor rating; 20-30%)
· Medium risk (average rating; 30-50%)
· Low risk (good rating; 50-70%)
· Very low risk (very good rating; 70-90%),
· Insignificant risk (outstanding (90-100%).
The cumulative weighted score of each of the risk areas forms the audit rating for the
client.
Corrective Actions and Remediation

Corrective actions are steps taken to remediate or reduce the impact of control weakness
or non-conformity. Corrective action plan however is a step by step plan of action that is
developed to achieve specific outcomes of resolution of noted non-conformities or
control weakness. To ensure effective corrective actions, the auditee should perform a
root cause analysis to identify the cause and effect of the control weakness or non-
conformity to the business. This is to ensure that an effective remediation or treatment is
implemented to address the issues completely or reduce the impact of the non-
conformity. The auditee is responsible for implementing corrective actions to address non-
conformity. A compliance certificate or report is usually issued by the auditee confirming
that all or some of the noted control weaknesses or non-conformities have been
remediated partially or completely. Detail of the remediation including new audit
evidences confirming the correction should be provided to the audit team for
reassessment. Where the corrective actions implemented fully address the non-
conformities, the audit team are expected to close the issues in their follow up or issue
tracker report.
Follow Up/Issue Tracking

Once the report has been approved and circulated to concerned/responsible persons,
there is need to follow up and track implementation of the recommendations by the audit
Page 40 of 296
team to ensure full compliance. Depending on if the responsibility was assigned to internal
audit department in its charter, the audit team initiate a follow up process or audit to
confirm that noted control weakness and non-conformities are being remediated within
the timeline agreed with the auditee and stipulated in the report. The auditee reports on
the status of each of the audit findings and what has been done to remediate the gaps.
Where controls implemented did not completely address the issues, the auditee shall
explore other means or compensatory controls to close the gaps. However, if the control
weakness or non-conformity could not be remediated or is impracticable to do so,
management approval to accept the inability to implement controls that will fully
remediate the issue as residual risk shall be obtained and documented.
The follow up process shall run its course until all noted gaps and non-conformities have
been full remediated and compliance certificate issued to affirm conformance.
Determining the Audit Universe

An audit universe represents a range of potential audit activities to be carried out by
internal audit function. It consists of several auditable entities, processes, systems and
activities. Maintaining an audit universe is not a mandatory requirement in professional
audit practice. However, it has been proven to be a good practice. For organization that
have a good risk management practices, a robust risk assessment outcome helps the
Chief Audit Executive (CAE) decide how to organize the audit universe such that areas of
significant/high risk are subject to more audits than areas of low risk. This is also known as
risk-based auditing. Because of limited resources, the internal audit function may not be
able to embark on all possible audit activities or engagements but does so based on risk
prioritization. As such, the audit universe is determined and updated based on critically of
the risk areas that could be subject to audit. This will then determine the list of possible
audit engagements that could be performed during the fiscal period to address the
identified risk areas. Projects, activities, initiatives, business units, processes or controls
relating to the organization’s strategic objectives could be included as part of the audit
universe.
It is important to note that board/senior management or regulatory requested reviews

that may not be part of the audit universe could take precedence over audit activities or
engagements scoped in the audit universe. Hence, it is the duty of the CAE to continually
update the audit universe to reflect all risk inherent in the operating environment as well as
the needs of key stakeholders.
Determining the Audit Type

The type or style of audit to be adopted for an audit largely depends on the nature of the
audit, area being audited, risk associated with the audit area (risk score), availability of
Page 41 of 296
resource, management objectives, etc. Hence, the internal audit management should
determine the most suitable audit type and approach to be adopted for all audits. Based
on risk assessment, areas with high risk scores are audited frequently than those with lower
risk ratings. A combination of the different types of audit can be adopted to add value
and deliver expected results to stakeholders.
Full Audit
Full audit is performed on audit areas that have been scheduled in the internal audit plan.
The audit process described above are adopted to provide assurance on the
effectiveness and adequacy of internal controls and governance structures. This type of
audit is conducted at most twice annual for a given audit area and depends of the risk
rating of the area being audit. Full audit type must follow all the processes describe above
in this book.
Spot-Check
Spot-checks are unannounced audits or reviews designed to ascertain the effectiveness
or state of workings of critical controls, processes or systems, which could adversely impact
the business if not properly oversighted. It is randomly done to confirm consistency and
ingenuity of the process, system or control when no one is watching. It has a bit of the
surprise element. For example, cash count in a bank’s vault, ATM cash count, Bank Teller
cash count, payment card production and personalization stock count, manufacturing or
distribution stock count, misery shopping on service points or outlets, etc. Management
occasionally request for this type of audit to provide independent assurance that a
strategic/critical process of the organization is working as expected without any form of
abuse or compromise.
Follow Up Audit
Follow up audits are performed in most cases to confirm status of resolution of audit
findings noted in previously audited area or business unit. It is a compliance audit that
verifies whether recommendations prescribed to close or resolve control weaknesses or
lapses have been implemented by management and no further breaches are occurring
in that area. This type of audit is usually requested by the board audit committee and the
Chief Compliance Officer (CCO) of an organization.
Investigation and Special Audit

Investigation and special audits are use in most cases to review specific business
areas/functions, products or activities that witness abuse, fraud or irregular activities that
embarrassed or with potential to embarrass the organization or in which the organization
has lost funds or goodwill. It is also used to review security incidents or service failures. The
objectives of such reviews are to ascertain what led to the incident, service failures, abuse
or fraud, the root causes, process or control lapses that facilitated the incident,
involvement of staff or other external parties, steps taken to forestall reoccurrence and
Page 42 of 296
recommendations that will prevent future occurrence. It could sometimes result to
applying forensic methods and professional evidence collection. It could take longer time
to complete and expected to be very detailed more than conventional audits (full audit).
Management use reports of such audit to implement drastic changes, sanction

employees, restructure the system and invest in measure to improve processes, systems
and controls. They could also be used or requested during litigation proceedings or by
government and regulatory authorities.
Value for money audits, which are special audit are also requested by management or
board audit committee to confirm that investments made in business area or technology
of interest is yielding the desired returns on investment (ROI).
Effective auditing through audit automation (use of audit management software)

Audit management software are used to automate the process of auditing. Some of the
popular audit management software like Morgan Kai Internal audit management
software (MKInsight) or Wolters Kluwer, Teammate Audit Solutions come handy with good
audit process automation. First, the internal audit function need to define the audit
universe or audit coverage. Internal audit function has been mandated by the board
audit committee, management and regulatory authorities to cover all or certain areas of
the organization's business, operations, processes and systems based on strategic
objectives or risk consideration to provide reasonable assurance on the effectiveness of
controls implemented by the management to achieve business objectives. Hence, the
internal audit team defined its audit universe in the audit management software along the
lines of its mandate from board audit committee, executive management and regulatory
compliance perspectives. For example, the approved 2018 Financial Year (FY) Internal
Audit Plan could be defined as the audit universe.
Secondly, the Audit Department defines the audit units or components, for example
Strategic Business Audit, Subsidiary Audit, Branch/Regional Business Audit, Information
Systems Audit, Retail Services Audit, etc., can be defined as the audit units under the audit
universe as applicable.
Furthermore, the Auditors define the audit type, which can either be routine, adhoc, spot
check, follow up, or special (investigation) audit. The audit type will determine the
approach, resources, template and report formats to be adopted in performing the audit.
Finally, the audit area are also defined in the software. Audit area for example can be
Accounts and Financial control (FINCON) audit, Strategic Risk management audit,
Treasury products and operations audit, Credit analysis and administration audit, Brand
Assurance and Corporate communications audit, Foreign operations audit, physical
Page 43 of 296
security audit, Data center audit, IT Power and Infrastructure audit, Core Business
Applications Audit, IT Operations and Infrastructure audit, Business Continuity
Management and Disaster Recovery Assurance audit, Business Units among others.
After the above steps has been defined in the software (note: a robust audit
management software should come with most of these features inbuilt), the Audit team
will have to design its Audit Work Programs (AWP), which should capture the identified risks
in the area being audited, controls to mitigate the risks, audit test procedures or Test of
controls (TOC) to be carried out to confirm that the controls implemented are working as
expected or otherwise, the severity of the risk (critical/very high, high, medium or low). The
AWP can be uploaded into the audit software in the form of a template predefined in a
format acceptable to the software. After the AWP has been uploaded in the audit
management software under a defined audit area, then the audit can be approved for
commencement by the audit management. Once the audit work program has been
approved. It becomes an active/scheduled audit in the audit management software
based on the effective date of commencement of the audit assignment. The AWP is the
working document for the audit team during the audit assignment. The audit team
populates the AWP with their findings and root causes of the noted exceptions based on
their observation of the issues in the field. Appropriate corrective actions or
recommendations are also provided based on observations. Thereafter the audit client
(i.e. auditee) then provided their responses to the issues raised during the audit as well as
the root cause and remedial actions. These responses are fed into the audit management
software if properly implemented or integrated with the organization's active directory
and email systems, which gives room for the audit clients to give their response directly
into the audit software. Where the provided responses are adequate and provide
accurate account of the issues as observed/captured by the audit team, the audit team
can then conclude the audit and submit same for review and adjustment by the audit
management.
A good audit management software comes with pre-formatted reports and the report
format will depend on what has been agreed and adopted by the Internal Audit
department and implemented by the software vendor. Some of the reports comes with
cover memo, executive/issue summary, main/detailed report (issues/findings,
recommendations, root causes, closure timelines, etc.), rating sheet, consequence
management report and audit work papers (i.e. AWP and appendices of audit
evidences).
It is important to note that the audit template a.k.a. AWP, which has been uploaded into
the audit management software and used for the real audit field work can be in different
states in the audit management software.
State I: In-Development (Offline)
State II: Under-review
Page 44 of 296
State III: Active (Live)
Depending on the state, any member of the audit team assigned to carried out a given
audit (audit area) can work on the AWPs or audit checklists at any time. All they need to
do is to first checkout the audit work program or checklist (i.e. checking out active AWP
into In-development state). While In-development state, the audit team can work on
different versions of the AWP or audit checklist for a given audit area. After working on the
AWP or checklist while In-Development state, the Auditor can check-in the program to
become Active or Live in the software, which become the final version at any given time
except updated. As such, the audit team members can do back-and-forth (i.e.
amend/change) on their AWP or audit checklists till they agree on the final version that will
be relevant for the job. Once they have agreed, the team lead can change the state of
the final version by checking it in to become "Active" or send same to his/her superior for
approval (i.e. "Under-review" state). Once reviewed and approved, it is then checked-
in as the final version (i.e. "Active" state).
When the audit work is completed, the final report is then generated via the audit
management software for management review and Chief Audit Executive's (CAE) final
approval and issue. The management review can either be done in software or offline
depending on the choice of the CAE. Once the audit report has been issue to the
organization's management or Board Audit Committee, the follow up process is kick-
started. The team designated for this purpose is drive the process and ensure that the
timeline specified by the Audit Client for closure of the audit exceptions/non-conformities
are adhered to and closed with a status report sent to the follow up team for
documented and management review.
Page 45 of 296
PART 2
IT Systems, Processes and Infrastructure Audit
Chapter 3 Audit of Data Centers

Chapter 4 Audit of Business Continuity and Disaster Recovery
Chapter 5 Audit of Business Process Re-engineering (BPR) and System Development
Lifecycle (SDLC) Management
Chapter 6 Audit of Governance of Enterprise IT
Chapter 7 Audit of Physical and Environment Security
Chapter 8 Audit of Windows Infrastructure, intranet and Internet Security
Chapter 9 Audit of Financial Technology (Fintech) and Payment Applications (Online
Banking and Electronic Payment Apps)
Chapter 10 Audit of Unix and Linux Operating Systems Infrastructure
Chapter 11 Audit of Core Banking Applications (Finacle, Flexcube and Phoenix)
Applications – PCI DSS Compliance
Chapter 13 Audit of Employee/Human Resources Information System
Chapter 14 Audit of Perimeter Network Security
Chapter 15 Audit of Database Security
Chapter 17 Audit of Virtual Infrastructure
Page 46 of 296
CHAPTER – 3 Audit of Data Centers
Page 47 of 296
Audit Program for Data Centers
Audit Objectives
The objective of the exercise is to evaluate the adequacy, effectiveness and
efficiency of controls in place to minimize the risk of unauthorized access to the
data center, business disruptions and theft of information assets.
Areas of coverage
· Personnel procedures and responsibilities addressing employee
termination, cross-functional and systems training.
· Program change controls are adequate to ensure that changes are tested
and approved before being moved into production status.
· Backup procedures are adequate to minimize business interruption and
protect against loss of data in the event of a disaster.
· Physical security controls are adequate to prevent unauthorized access to
computer center areas
· Environmental controls are adequate to minimize hardware/software
losses from fire or flood.
Audit Scope
The following areas of data center operations shall be covered: Access to the
information processing facility or data center, visitors/vendor restriction, protection
of assets, identification of the information processing facility, access to offsite
storage facility, policies and procedures, personnel, incident management, fire
and hazard control, environmental control, etc. However, specific attention will be
paid on the following areas:
· Data center operating policies and procedures.
· Physical security controls.
· Environmental controls.
· Incident handling and management.
· Infrastructure maintenance
· Cabling and telecommunications.
· Service monitoring and availability management.
· Business continuity management.
Page 48 of 296
Data Centre Audit Checklist
S/N Audit Area Risk Control Test Procedures
Lack of
separation of Dept.
duties, ambiguity organogram, Job
in business rules descriptions,
and procedure Obtain the Data Centre
inconsistency in manuals and organogram as it relates to
PEOPLE AND processes and product the organizational structure
1 PROCESS procedures. documentation. as well as job descriptions.
Confirm that each staff has
documented job
descriptions.
Interview all the staff in the
data center and ascertain
the processes and
procedures required for the
performance of their job
functions.
Ascertain the risks
associated with the
processes and confirm the
adequacy of controls
(system and manual) to
minimize the risk.
Inconsistent
practices and
substandard
operation of the
ORGANIZATION data center due Document a
AND to lack of standard data Have data center
ADMINISTRATIO standard center operating operating policy and
N OF THE DATA operating policy and manual been documented
2 CENTRE manual. manual. and approved?
Are they sufficiently
descriptive to guide in the
administration and
Page 49 of 296
operation of the data
center?
Are the data center
operators aware of the
existence of the operating
manual as well as its
provision?
Is there a procedure in
place for the periodic
review of the operating
manual to ensure that it
reflect changes and
improvement in the data
center operations and
ensure compliance to best
practice?
Risk of
compromise by
the Data Centre
Operators due to Verify that data center
lack of duty Maintain a duty Operators ensure job
rotation and roaster to ensure rotated? Request for data
monitoring of job rotation center duty roaster and
operators’ among the data confirm rotation of duties in
activities. center Operators. a systematic manner.
Confirm that the duty
roasters are routinely
reviewed by the Data
Centre Manager.
Confirm that operator

logbook is maintained to
Maintain an record any significant
operator logbook events/incidents in the data
to capture center and corrective
significant events action taken by the
in the data center operator. The log book
and corrective could be in the form of
actions. incident
Page 50 of 296
management/reporting
software or portal.
Confirm that every duty shift

in the data center writes a
handover report on
completion of their shift on
activities carried out as well
as significant issues during
the shift to aid smooth
takeover by the next shift.
Confirm that the logbook or
portal is reviewed frequently
by management.
Maintain record
of End of Day
(EOD) or End of
month (EOM)
activities and
processes to
prevent system
breach,
suppression of
malicious acts or
service failures (in Confirm that all EOD
the case of high activities and processes are
processing data captured in the EOD
centre using high register or portal to prevent
end ERP or suppression of malicious
banking acts as well as service
software). failures.
Confirm that EOD/EOM
activities and processes are
reviewed regularly by the
Head of Data Centre to
ensure that no service issues
or malicious acts are
suppressed by the
Page 51 of 296
Operators.
Confirm that incidents

recorded during EOD/EOM
processing are promptly
escalated to relevant
persons in management for
resolution. Take samples of
such incidents for
verification if need be.
Risk of business Ensure that resource

disruption due to monitoring software (like
lack of capacity AppManger or
management, ManageEngine) are
monitoring as Implement installed to monitor
well as capacity capacity utilization of
performance management resources on all servers of
measurement of and planning interest especially critical
business systems. measures. systems and applications.
Request and examine
system resource utilization
reports; determine the times
of peak resource demand
within the processing day.
Determine how Data
Center management reacts
to equipment utilization
information.
Confirm that IT
management (IT Steering
Committee) receives
feedback on system
capacity utilization reports,
which they may need in
planning towards
acquisition of servers or
applications in the future as
part of its strategic
functions.
Page 52 of 296
Determine whether
capacity planning
(processor, memory,
channels, disk, etc.)
performed, are consistent
with, and integrated into
strategic long-term plans.
Implement
performance
measurement
and monitoring
systems.
Determine whether
performance measurement
process services and
infrastructure (systems) are
in place.
Determine whether system
downtime is recorded or
tracked.
Confirm that
alerts/notifications are set to
monitor agreed resource
thresholds for systems to
trigger/alert the Operators
when such thresholds are
breach or exceed. This is to
prevent over utilization of
system resources in a
manner that will cause
damage to the
infrastructure. For example,
set alert on disk space
utilization of the server disk
drive, Netapp storage, Dell
EMC storage, memory
utilization, CPU utilization,
etc.
Page 53 of 296
Confirm that system
downtime or outage is
effectively monitored to
prevent service failure. For
example, monitor service
UPTIME on AIX/UNIX server.
Implement
adequate
controls to ensure
accountability
and protection of
backup media
Compromise, produced at the
theft and main facility as Confirm that all tapes that
unauthorized well as their are sent to the offsite
access to transfer and storage facility are properly
backup media retrieval to and documented and
and offsite from the offsite authorized before their
storage facility. storage facility. transfer.
Confirm that the method of
transfer of the tapes (by
either till box or safe) to the
offsite storage facility is
secured and adequately
protected from theft or
compromise. Inspect the
box or safe as well as the
process of tape transfer to
ensure their security.
Verify whether the tapes
and other media are
encrypted to prevent them
from being accessed or
compromised in the event
of theft or loss.
Page 54 of 296
Confirm that the default
OEM (Original Equipment
Manufacturer) encryption
code are changed and not
used for encrypting the
tape drives during backup.
Symantec NetBackup
solution as well as other
solutions give room for the
administrator to create its
own encryption codes for
use during back up.
Are all visitors to the off-site
facility required to sign a
logbook or register their
presence indicating their
name, reason for visiting,
time and date?
Are the processes of
retrieval of storage media
(tape and hard drives)
documented and
adequately controlled to
ensure that the right tapes
are retrieved and there are
proper authorizations?
Are the storage media
(tapes and hard drives)
properly index and labeled
to facilitate easy storage
and retrieval?
Ensure that data

Risk of center operators
inadequate and other Have the data center
response in the personnel in the operators been adequately
ENVIRONMENT event of fire main processing trained on what to do when
AL CONTROL & outbreak and facility are the different types of fire
MONITORING other adequately emergencies or security
3 SYSTEMS. emergencies. trained on how to violation occur?
Page 55 of 296
respond in the
event of fire
outbreak.
Do the other personnel in

the main processing facility
been adequately sensitized
on what to do when fire
emergencies occur?
Confirm that fire marshals
have been appointed to
man key areas of the main
processing facility and verify
that they have been
adequately equipped with
basic tools to enable them
coordinate emergency
evacuation activities.
Ensure that fire drills are
frequently conducted in the
main processing facility for
all occupants to create
necessary awareness on
how to adequately respond
to emergency or fire
outbreaks.
Install fire
equipment and
other emergency
controls and
ensure that they
are adequately
maintained and Are the fire alarm pull boxes
tested to respond and emergency power
to any fire switches clearly visible,
outbreak. marked and unobstructed?
Are clear and adequate fire
instructions posted in all
Page 56 of 296
locations within and around
the data center?
Confirm that emergency
phone/ switch numbers of
fire service authorities are
conspicuously displayed in
specific locations around
the main processing facility
for easy access and use in
the event of fire. For
example, dial 911 or 123,
etc. as applicable.
Are smoke/heat detectors
periodically tested to
ascertain their working
conditions and ability to
detect existence of fire or
smoke when the need
arises?
Are smoke detectors
strategically installed under
the raised floors and on the
ceiling of the data center
such that will easily detect
smoke or fire?
Are there enough fire alarm
pull boxes in and around
the data center?
Are the Operators assigned
individual responsibilities in
the event of fire outbreaks?
Are the operators trained
periodically in firefighting?
How frequently are fire drills
held?
Are FM200 fire extinguishers
installed in the data center
for the purpose of
firefighting?
Page 57 of 296
Are the FM200 fire fighters
promptly maintained and
serviced in line with the
OEM service lifecycle?
Are the firefighting
equipment periodically
tested to ascertain its
working condition and
ability to respond to disaster
in the event of emergency?
Are combustible materials
found within and around
the data center area?
Combustible materials must
not be kept in around the
data center as they are fire
fuelers and could aid
spread of fire.
Implement
controls that will
adequately
prevent flooding
and other
disasters from
affecting the Are the data center
data center. installed above raised floor?
Are the materials used for
the raised floor or base of
the data center those that
are not combustible or aid
the spread of fire?
Are there water lines/pipes
or collectors that are
through or close to the data
center area to avoid
flooding?
Page 58 of 296
Are environmental
monitoring and control
system (EMCS) installed in
the data center and
periodically tested to ensure
that temperature and
humidity conditions within
the data center are
controlled and monitored.
Are the EMCS
configurations adequate to
ensure that triggers/alerts
are sent to concerned
persons when the
temperature and humidity
conditions within the data
center drops or increases
above the acceptable
limits or threshold?
Risk of service Implement a

disruption arising trunked electrical
from physical wiring and Check to ensure that
destruction of cabling system in electrical power cables and
power and data and around the wiring in around the data
cables or data center to center are well arranged in
interception of prevent physical trunks to prevent physical
signals. damage. damage.
Ensure that there were no
exposed power cables to
prevent electrocution of
personnel.
Safeguard
signal/data
cables in PVC Inspect all signal/data
trunks to prevent cables on servers and
signal network devices to ensure
interception or that they are not exposed
tapping for to interference or tapping.
Page 59 of 296
malicious
purpose.
PHYSICAL AND Implement Confirm that there is a

LOGICAL Risk of biometric or smart procedure for granting
ACCESS unauthorized card entry control access to users who have
CONTROL TO physical or device to restrict need to access the data
THE DATA logical access to access to the center and establish the
4 CENTRE the data center. data center. authorization process.
Are all personnel entering
the data center made to
enter through an entry point
controlled by either a
biometric or smartcard
access control device,
which is monitored by the
Data Center Manager?
Ensure that there is a
procedure for the review of
the biometric or smartcard
activity logs. Confirm that
the review is done by the
Data Centre Manager.
Do biometric or smartcard
devices restrict and grant
access based on the
individual's unique access
credential, or restrict access
to a door(s) for users or at a
given time of the day.
Do the means of gaining
access, i.e. biometric or
smartcard difficult to
duplicate or compromise?
Page 60 of 296
Are there procedures in
place for deactivating user
access on the biometric or
smartcard devices in the
event that they are
disengaged from the
organization (either
voluntarily or terminated by
the company or if an
employee smartcard is lost
or stolen?
Do the means of gaining
access, i.e.
biometric/smartcard
automatically produce a
silent or audible alarm if
illegal entry is attempted?
Do the biometric/smartcard
devices automatically log
and report successful
access and unsuccessful
attempts to the data
center?
Is the issuing, accounting
for, and retrieving the
smartcard/biometric an
administrative process that
is carefully controlled?
Request for smartcards of
users that have exited from
the organization.
Can all active smartcards
be accounted for?
Confirm that the access
logs of the biometric or
smartcard devices are
captured and retained for
a reasonable period. Verify
that the logs are backed up
on external media (tapes or
HDD) for retention for
Page 61 of 296
purpose of investigation
when the need arise.
Are there video cameras
located at strategic points
in the information
processing facility (data
center) that are monitored
by security personnel? Is the
video surveillance recorded
for possible future
playback?
Is there an alarm system in
place that is linked to
inactive entry points to the
information processing
facility or data center?
Are employees and visiting
technicians required to
wear photo IDs or
identification badges?
Are all visitors required to

sign a visitor's log indicating
their name, company
Monitor and represented, reason for
restrict visitors’ visiting, and person to see
access to the before accessing the data
data center. center?
Before gaining access, are
visitors required to provide
some method of verification
of identification, i.e.
Company ID, business card,
vendor identification tag?
Are visitors required to wear
identification badges that
are a different color from
employee badges for easy
identification?
Page 62 of 296
Are visitors required to be
escorted by a responsible
employee? Such visitors
include friends, repairmen,
computer vendors,
consultants (unless long
term, in which case special
guest access is provided),
maintenance personnel
and external auditors.
Are special service contract
personnel, such as cleaning
staff and off-site storage
services, bonded and
monitored during the
discharge of their duties to
limit the financial exposure
of the organization or
disruption of service?
© Copyright. All
rights reserved
Page 63 of 296
CHAPTER – 4 Audit of Business Continuity
and Disaster Recovery
Page 64 of 296
Audit Program for Business Continuity and Disaster Recovery Management
Audit Objectives
efficiency of controls in place to minimize the risk of business/service disruptions
because of system failure or disaster affecting an organization’s information
processing facilities (IT infrastructure) or operating environment.
Areas of coverage
· Ensure that a business continuity management framework or policy is in

place and approved by management.
· Ensure that adequate and effective contingency plans have been
established to support prompt recovery of crucial enterprise functions and IT
facilities in the event of major failure or disaster.
· Ensure that all mandated disaster recovery, business continuity, and security
requirements have adequate compliance policies and procedures in place.
· Ensure that all the potential risks to the enterprise and its IT facilities are
identified and assessed in preparation of the contingency plans.
· Ensure the optimum contingency arrangements are selected and cost
effectively provided.
· Ensure that an authorized and documented disaster recovery / business
continuity plan is created, kept up-to-date, and securely stored.
· Ensure that the recovery plan is periodically tested to assure of its relevance
and effectiveness.
· Ensure that all internal and external parties to the recovery process are fully
aware of their responsibilities and commitments.
· Ensure that appropriate liaison is maintained with external parties (i.e.
insurers, emergency services, suppliers, etc.).
· Ensure that both the main and recovery sites are secure and that systems
are securely operated in support of the enterprise.
· Ensure that systems and procedures are adequately and accurately
documented to aid the recovery process.
Page 65 of 296
Business Continuity Management and Disaster Recovery Audit Checklist
S/N Audit area Risk Controls Procedure

1. BUSINESS Inability to Business Ascertain that the organization
CONTINUITY adequately Continuity Plan has a Business Continuity
READINESS. respond to (BCP). Management
emergencies or framework/policy in place.
disasters that have Ensure that the policy has been
the potential to approved by management.
disrupt critical
services of the
organization.
Confirm Executive
management buy-in in the
business continuity plan
especially up to the
organization’s Board of
Directors by requesting and
reviewing minutes of meetings
of IT Steering/Governance
Committee, Management
Committee and Board of
Directory subcommittee on
Information Technology.
Confirm that the business
continuity plan is routinely
being tested for workability,
relevance and efficacy.
Confirm that responsibilities
have been assigned to the
various Emergency Response
Teams created by the BCP and
that the teams have been
constituted and adequately
trained on their roles and
responsibilities during
emergency.
Confirm that copies of the
Business Continuity plan (BCP)
and Disaster recovery plan
(DRP) and procedure
documents are maintained in
Page 66 of 296
the main processing facility as
well as in the Disaster Recover
(DR) sites?
Confirm that drills and
simulation of disaster situations,
a test of the organization’s
readiness to respond to
disaster are being routinely
conducted and reports on the
outcome of the test sent to
management for action and
process improvements.
Confirm that a procedure for
proper maintenance of all
servers and equipment in the
data center at DR site in line
with Service Level Agreements
(SLAs) entered with their
respect vendors.
Confirm that Business Impact
Analysis (BIA) has been carried
out and that all the critical
information resources and
assets are identified and
scoped in the impact
assessment.
Also, determine if
comprehensive risk assessment
of the areas and functions
covered by the Business
Continuity plan has been
carried out and that it appears
reasonable and form inputs to
the business continuity plan
and investment in infrastructure
and people.
Confirm that the BIA identifies
the risk and impact peculiar
with the organization’s critical
operations scope in the BCM,
the likelihood/ frequency of
Page 67 of 296
their reoccurrence, severity of
the risk and impact (ranking of
the risk as low, medium and
high risk). Confirm that the
metric for measuring the
impact of each risk is
reasonable, feasible and
scientific.
Evaluate the effectiveness of
the documented procedures
for the initiation of the Disaster
recovery plan.
Determine if all critical
applications and IT
infrastructure (ERP software,
Windows servers, Domain
controllers, AIX/UNIX servers,
Storage systems, etc.) have
been identified.
Review planned support
available for critical
applications & systems,
including all core ERP systems.
Determine if all applications
have been reviewed for their
level of tolerance and easy of
recoverability in the event of a
disaster.
Review the list of business
continuity response personnel,
emergency hot site contacts,
emergency vendor contacts,
etc., for appropriateness and
completeness.
Call a sample of people in the
list to verify that their phone
numbers and addresses are
correct as indicated and that
they possess a current copy of
the business continuity plan.
Interview key personnel for an
Page 68 of 296
understanding of their assigned
responsibilities as well as up-to-
date detailed documentation
describing their tasks in a
disaster or emergency
situations.
Confirm that there is
reasonable coordination
among the business continuity
team and external vendors
and suppliers.
Verify if surprise test has been
carried out to determine the
level of preparedness of and
effectiveness of personnel and
the plan itself.
Emergency Evaluate the procedure for

guidelines and updating the Business
procedures Continuity plan/manual.
Ensure that updates are
applied and distributed in a
timely manner.
Ensure that responsibilities for
maintenance of the manual
are documented.
Evaluate the effectiveness of
the documented procedures
for the initiation of the business
continuity plan.
Evaluate all written emergency
& recovery procedures for
thoroughness, appropriateness,
accuracy and currency.
Determine if all recovery teams
have written procedures to
follow in the event of a
disaster.
Determine if a suitable
procedure exists for updating
the written emergency
Page 69 of 296
procedures.
Determine if user recovery
procedures are documented.

2. DISASTER Inability to recover Disaster Obtain and review a copy of
RECOVERY from emergency Recovery Plan the disaster recovery plan and
SITE. situations or (DRP). the DR site agreement.
unplanned Determine if they are complete
disruptions in a and current, and if executive
timely manner that management has signed off on
will impact on the the plan.
organization’s
ability to deliver
services to its
customers.
Determine who are responsible
for developing the plan and if
users and all facets of data
processing were adequately
considered and involved in its
development.
Confirm that a test plan has
been documented and
approved for the organization’s
business continuity and
disaster/emergency recovery
plan. Confirm that the plan
covers all areas and operations
in scope of the organization’s
business continuity plan as
details in the BIA. Confirm that
the test plan/schedule is being
followed by management as
required.
Determine if executive
management has approved
the funding for the DR site and
testing of the disaster recovery
plan. Request for reports of the
DR testing within the period
Page 70 of 296
under review and ensure that
noted challenges and
concerns are reported to
management and
improvements are made
consistently on previous test.
Review result of tests of the
disaster recovery plan (DRP)
conducted within the period
under review. Determine if
corrective action has been
taken on any problems or
concerns encountered during
the test that will impede of the
ability of the organization to
successfully implemented its
disaster recovery plans and
strategies.
Visit the DR site. Assess its
suitability to support the
organization’s business and
critical services being rendered.
Also, confirm if the DR site is
compatible with the main
processing facility in terms of
infrastructure.
Interview users and/or IT
personnel in the DR site to
determine if they have been
trained on their responsibilities
in the event of an emergency
or disaster. Also, determine if
they are aware of any manual
or alternative procedure(s) that
are to be used when
processing is delayed for an
extended period.
Confirm that all the procedures
for Contingency/Recoveries
are documented e.g. Data
Centre Operating Procedures.
Page 71 of 296
Has the maximum allowable
outage and recovery time
objectives been determined?
Ascertain the adequacy of the
recovery time for information
resources in which business
processing must be resumed
before significant or
unacceptable losses are
incurred.
Review the results of prior tests
to determine that corrective
actions requiring management
attention have been
incorporated into the plan for
subsequent testing and
verification.
Perform detailed inventory
review of the offsite storage
facility to ensure the presence,
synchronization and currency
of critical media and
documentation including: Data
files, applications software,
applications documentation,
systems software, systems
documentation, operations
documentation, necessary
supplies, special forms and a
copy of the business continuity
plan.
Evaluate the security at the
offsite facility to ensure its
adequacy with the required
physical and environmental
access controls.
Contingency Ensure that the plan

plan for DR site adequately addresses
(i.e. Recovering relocation/movement to a new
Page 72 of 296
from recovery). information processing facility
in the event that the original DR
site cannot be restored.
Determine if the plan
adequately addresses
recovering from recovery.
Determine if terms necessary
for the reconstruction of the
Information processing facility
are stored offsite which
include: Blueprints, Hardware
inventory, Wiring diagrams, etc.
Storage of Ascertain that

Data Backup telecommunication backups
media in offsite are addressed in the plan.
facility.
Ascertain that the plan address
loading data is processed
manually into an automated
tape management system.
Ensure that regular and
systematic backups of files
required for sensitive and/or
crucial applications and data
exist.
Ascertain that offsite storage is
used to maintain backups of
critical information required for
processing operations, either
on- or offsite.
Confirm that adequate
documentation exists to
perform a recovery in case of
disaster or loss of data.
Assess the vital records retrieval
capacity.
Insuring the DR Verify if the organization’s

site against investment in the DR site and its
Page 73 of 296
collateral infrastructures are covered by
damage to insurance to avert possible
prevent huge losses. Determine as a matter
financial losses of policy that investment in the
to the DR site are covered by an
organization insurance company.
(Risk transfer).
Review insurance coverage for
adequacy taking into
consideration:
i. Insurance premium (cost).
ii. Coverage for media
damage.
iii. Business interruption.
iv. Equipment replacement.
v. Business continuity
processing.
S/N Audit Area Risk Controls Procedure

3. DISASTER Unauthorized Adequate Confirm that adequate entry
RECOVERY physical or logical physical and controls (biometric or smart
SITE DATA access to the DR logical card device) are used to
CENTRE. site data center. protection to control access within the DR
prevent site data center.
unauthorized
entry.
Confirm that there is a
procedure in place for
assigning and retrieval of
access from personnel that
work in the DR site data center.
Confirm that all personnel that
work within DR site data center
area are authorized by their
supervisors and have need to
access the center.
Adequate Confirm that sufficient audit

audit trail users’ trail of users’ activities (access
Page 74 of 296
activities within logs) are being captured by
the DR site the biometric or smart card
data center. device software.
Confirm that the captured
access logs are backed up
externally for retention when
needed in the event of system
crash or disaster affecting the
facility.
Confirm that CCTV cameras
were strategically installed in the
DR site data center and that
specific entry areas including
the back of server racks were
covered.
Confirm that CCTV DVR
recorder keep audit trail of
activities within the data center
(i.e. movement within the data
center area) for reasonable
period as specific in the
organization’s data retention
policy and as required by
regulatory authorities.
Risk of Implement Confirm that FM 200 fire
environmental control to extinguishers were installed and
and external adequately routinely tested in the DR site
conditions such as protect data center to forestall any
fire, flooding and information incidence of fire outbreak.
other disasters in assets from
the DR site data environmental
center. conditions such
as fire,
interference,
flooding, etc.
Confirm that smoke detectors
were installed and routinely
tested in the DR data center for
prompt detection of smoke or
fire.
Confirm that Environmental
Page 75 of 296
Monitoring & Control System
(EMCS) were installed and
routinely tested to detect
change in environmental
conditions (such as
temperature and humidity)
within the DR site data center
that went beyond acceptable
thresholds while promptly
alerting responsible personnel
for their action.
Confirm that the fire alarm
system in the center is in good
working condition and are
routinely tested.
Confirm that there are good
security practices within the
center and that drills are
routinely carried out to test
effectiveness, feasibility and
workability of the emergency
and evacuation procedure
established for the DR site data
center.
Confirm the adequacy of the
power supply at the DR site
data center in delivering pure
and uninterrupted power.
© Copyright. All
rights reserved
Page 76 of 296
CHAPTER – 5 Audit of Business Process
Re-engineering (BPR) and Software Development Lifecycle (SDLC)

Management
Page 77 of 296
Audit of Business Process Re-engineering (BPR) and Software Development
Lifecycle (SDLC) Management
Audit Program for Business Process Re-engineering (BPR) & Automation

Function
Audit Objective
efficiency of controls in place to minimize the risks of unauthorized access,
disclosure of classified information and inability of business applications to meet
the intended objectives.
Audit Scope
The following areas should be covered during the audit.
· Software development standard and methodology.
· System development lifecycle management.
· Software development process documentation and practices.
· System analysis and design methodology.
· Standard operating procedures.
· Change management.
· Code review and software vulnerability assessment.
· Separation of duties practices.
· Application development standard and best practice.
· Information security considerations.
Page 78 of 296
Audit Checklist for Business Process Re-engineering and Automation
S/N Audit Entity Risk Control Test Procedures

1 Procedures Inconsistent Document Determine if there is a
and standard practices and procedures and standardized process
substandard standards for improvement
operation by BPR systems methodology in place.
developers. development.
Verify the mode of system
development
methodology in use.
Verify that in-house
application development
is performed in line with
standard system
development methods/life
cycle.
Determine if there is a
process of requesting for
process automation from
process owners to Business
process automation & Re-
engineering (BPR) unit.
Either automated or
manual.
Review the process of
requesting for process
automation from process
owners to BPR unit to
ensure that appropriate
procedures are strictly
followed and necessary
documentation are in
place. Ensure there is
appropriate authorization.
2 Systems Insecure systems Document Verify that there are
development and standards and defined criteria for
unauthorized procedures for adopting the use of
access. systems particular programming
development. language or development
tool for application
development.
Page 79 of 296
Request for evidence of
system requirement
definition as well as analysis
and design
documentations from the
System Analysts for system
development and
implementation.
Verify the programing
language/environment
being used and ensure
that the tools are genuine
and licensed software.
Verify that there is
adequate access control
in development
environments to ensure
security, which will prevent
developers from using
different versions of
development
environments to code
applications.
Verify that the
development environment
is separated both
physically and logically
from the test and live
environments.
3 Systems Testing Unauthorized Document Verify that the test and
access. access control production environments
procedures. are logically separated to
enforce adequate security
of data.
Verify that developers do
not have access to
production databases and
as well as live applications.
Failure of Document a test Verify that applications are
functionality and procedure and tested extensively and
security. ensure it is appropriate sign off are
Page 80 of 296
approved. obtained from relevant
stakeholders before
deployment to live
environment.
4 Change control Service Document a test Request for change
disruptions due procedure and management
to Unauthorized ensure it is documentations for
changes approved. previous changes made
on applications and ensure
that necessary approvals
were obtained in line with
the organization change
management policy and
procedures.
Verify that application
maintenance, patch
deployment and upgrades
are subjected to change
management procedures.
5 Access control Unauthorized Separate Verify that adequate
access and production access control
modification to environment mechanisms are
live systems. from test systems. implemented on the test
and production
environments with more
security emphasis on live
environment.
Verify that production data
are not use as test data in
the test environment and
determine who has access
to the test data.
Unauthorized Implement Obtain the list of
access and adequate applications developed
modification to logical access and maintained by BPR
live systems. control department. Review
mechanism on security and functional
the production requirements of the
environment to applications based on
ensure documented system
accountability requirement. Review users
Page 81 of 296
and non- access rights on the
repudiation of application as well as on
actions. the database and ensure
that the security settings
databases are adequate.
Ensure strong Review the security
security configurations of the web
configurations. servers hosting the
development, test and
production environment of
all applications developed
by BPR unit including their
operating systems security
controls. Ensure that
security configurations of
production web servers are
adequate to assure system
security.
Unauthorized Job segregation Verify that there is

access or adequate separation of
privilege creeps duties between
due to lack of developers, operators and
separation of administrators of the
duties. applications/web portals
and their respective
databases. Ensure that
accountability and
responsibilities for system
functions are clearly
defined and established.
Data loss Secure backup Review data backup
for application procedures for all
data as well as applications/portals and
source code. their associated databases
to ensure that data are
backed up and securely
retained.
6 Documentation Inability to Ensure that Verify that there are
provide support procedures for adequate program
to users and program documentations for all
Page 82 of 296
ensure job documentation applications.
succession due are approved
to lack of and applied.
program
documentation.
Verify that necessary
approvals were obtained
at all stages of application
development process in
conformity with established
procedures and
satisfaction of business and
security requirements.
Verify the role of System
Control personnel in the
system development
process and ensure that
are the adequate
documentation for all roles
in the procedure manual?
Verify that the following
documentation are in
place for every in house
developed application.
1. Project initiation
document
2. System
specification/design
document
3. Process mapping/work
flow diagram.
4. User manual
5. Technical
manual/documentatio
ns
6. Lessons learnt.
7. Data Dictionary.
Systems not Provide Determine if BPR staff
meeting user adequate and members have adequate
requirements. required training. training and competence
required to deliver user
Page 83 of 296
requests for automation of
processes.
Inability of the Provide staff Determine the adequacy
unit to deliver resource for all of staffing in BPR unit.
jobs on schedule vacant positions.
due to lack of
manpower.
7. Code Review & Risk of non- Code Review Confirm that there is a
Vulnerability detection of procedure for the review of
Assessment errors, malicious codes for newly
codes, wrong developed applications as
business logics, well as changes to existing
weak codes, applications.
which could
result to control
failure or
financial loss.
Does the procedure for
code review assign
responsibilities for the
exercise to specific
department and person
such that will ensure
separation of duties (i.e.
reviewer different from
developer)?
Verify that codes of newly
developed applications
and changes to the
existing ones are reviewed
for common errors, bugs,
logical dysfunction, wrong
business logics, etc., to
ensure security and
minimal impact on
business.
Verify that the outcome of
the code review is
reported as well as
escalated for immediate
actions and remediation.
Page 84 of 296
review as well as
escalation.
Risk of non- Perform Verify that technical
detection of vulnerability vulnerabilities associated
common coding assessment and with software development
errors, poor scan. have been identified,
coding documented and the
standards, bugs, organization’s exposure to
that create them evaluated.
vulnerabilities,
which could be
exploited by
hackers to
compromise the
applications, its
data or the
organization’s
system.
Verify that vulnerability
assessments/scans are
being carried out on newly
developed applications as
well as changes made to
existing applications.
Are software acquired and
being used to perform
vulnerability scans (e.g.
Accunetix) and what is the
frequency of this exercise
for application already in
production?
Verify that the outcome of
the vulnerability
assessments/scans are
reported as well as
escalated for immediate
actions and remediation.
scans as well as
escalations.
Page 85 of 296
CHAPTER – 6 Audit of Governance of
Enterprise IT
Page 86 of 296
Audit Program for IT Governance and Strategic Planning
Audit Objective:
The objective of the exercise is to evaluate the alignment of IT strategy with business
objectives, value delivery of IT investment and effectiveness of IT Department in
providing technology related services to every area of the business.
Audit Scope:
Some of the areas the audit should consider are: understanding the impact of IT
services within the company, performance measurement and scorecard for IT
services, assuring stakeholders of the viability of IT investment among others. The
following areas should be considered:
· IT Steering Committee and its composition.
· IT Project Management and Implementation.
· IT Policies.
· IT Organizational Structure.
· IT Strategy (Short, Medium & Long Term).
· IT Administration.
· IT Resource Management.
· IT Security Management.
· IT Budgets.
· Performance Monitoring and Measurement.
Information Technology Governance

COBIT and ITGI frameworks will be used to ascertain the effectiveness and adequacy
of management oversight, roles and responsibilities to the Information Technology
organization as well as risk management processes to ensure effectiveness of the
information technology (IT) management. The executive management should be able
to demonstrate its oversight as well as support for the IT organization for the realization
of corporate objectives.
Effective IT management maximizes the benefits from technology and supports
enterprise-wide goals and objectives. The IT organization typically leads back-office
operations in addition to its primary role of render unhindered services to the company
customers/clients. This dual role due to the increasing acceptance and internalization
of technology in business raises the importance of IT management in effective
corporate governance.
Effective management of technology involves more than containing costs and
mitigating operational risks. An IT department that is capable of aligning strategies
and resources with business goals can be considered as adding value to the
organization. The Board of Directors and executive management should understand
Page 87 of 296
the need to take responsibility for IT management as a critical component of their
overall corporate governance efforts.
Information Systems Strategy

Developing and maintaining a robust short, medium and long term Information
Systems Strategy is critical to the success and survival of a business. Therefore, it is the
responsibility of the Information Technology Department to put in place a workable
strategy, which has executive management backing/approval to drive the short,
medium and long term goals/objectives of the organization and ensure the alignment
of IT goals with business objectives. The strategy document also set the tone of
management direction and priorities on investment in Information Technology. As
such, executive management of an organization must continue to demonstrate its
readiness to improve the lot and potentials of Information Technology processes,
operations, products and services to yield the expected returns and improve the
overall service delivery capacity of the organization. This will be ensured by putting in
place adequate budgeting and provisioning process to fund critical IT projects.
Relevant COBIT processes will be applied to provide reasonable assurance on the
effectiveness of information systems strategy in realizing corporate objectives.
Information Security
Information is one of the organization’s most important assets. Protection of
information assets is necessary to establish and maintain trust between the
organization and its customers. Timely and reliable information is necessary to process
transactions and support organization and customer purchase decision. The
organization’s earnings and capital can be adversely affected if information becomes
known to unauthorized parties, is altered, or is not available when it is needed.
Information security is the process by which an organization protects and secures
systems, media, and facilities that process and maintains information vital to its
operations. Security programs must have strong Board and Senior management level
support, integration of security responsibilities and controls throughout the
organization’s business processes, and clear accountability for carrying out security
responsibilities. Guidance will be provided to examiners and assurance professionals
on determining the level of security risks to the organization and evaluating the
adequacy of the organization’s risk management.
The Audit Team shall request for the following from Management.
Information Technology (IT) Governance
· IT Organogram/Organizational structure.
· Job descriptions for all IT related roles.
Page 88 of 296
· List of IT inventory/assets (Hardware & Software) and their current locations with
their serial and license numbers as applicable.
· IT Charter.
· IT Steering Committee Composition.
· Minutes of meeting of IT Steering Committee in the last one year.
· IT Budget for the financial year.
· IT Security Steering Committee composition and minutes of meetings
· Current IT Strategic plan.
· IT strategic plan (medium and long term).
· IT Risk register.
· Previous internal and external audit report of IT departments.
· Compliance certificate for the previous audit reports.
· Training Plan for the financial year.
· Key Performance Indicators (KPIs) for all IT related functions.
· List of all IT vendors and their respective Service Level Agreements (SLA) or
Contract agreement.
· List of pre-qualified IT vendors.
Policies and Procedures

· IT Security Policy.
· Password policy.
· Acceptable use of computer Assets policy.
· Software licensing policy.
· Change management policy & procedure.
· Data Centre Operating manual.
· Physical Security Policy.
· Network Security Policy.
· Procurement Policy for Acquisition of IT assets (hardware & software).
· Business Continuity Management framework/policy.
· Disaster Recovery Plan (DRP).
· Business Process Re-engineering procedure.
· Operations manual.
· IT Service Management framework.
· Information Classification policy.
· Information Security Management System policy.
Page 89 of 296
Audit Checklist for IT Governance and Strategic Planning
1. Confirm that there is an IT governance and strategic plan that suits the
company's peculiar needs.
2. Confirm that there is executive management and Board buy-in for IT activities,
Governance and strategic plan.
3. Verify that IT governance and strategy have complete Board of Directors buy-in
and issues relating to IT and strategic investment are discussed and approved
by the Board (request for Board of Directory’s minutes of meetings from the
company secretariat).
4. Verify the existence of IT Steering Committee, which has management
responsibility for enterprise governance and administration of IT and reports to
relevant Board standing committees.
5. Verify that there is alignment IT projects and strategic investments with business
objectives (request for Board and Exco minutes of meetings).
6. Verify that there is governance structure and administrative reporting lines in the
IT department such that will promote accountability and good practice.
7. Verify that the IT Steering Committee performs its oversight responsibilities over
the IT Department and reports back to management for information decision
making.
8. Verify that key perform indicators were put in place by the Board of Directors to
measure IT performance.
9. Verify that the Board of Directors adequately challenges management on IT
initiatives by benchmarking measurable results.
10. Verify that management has aligned IT strategy with business goals by asking
tough questions such as: where does IT fit in the overall strategy for the
company? What is management's risk tolerance level with IT investments? What
are the major IT issues facing the organization?
11. Verify that management prepares and presents annual IT budget to the Board
of Directors for approval with adequate information on how the budget will be
executed and the value they will provide to the company.
12. Verify that management has put in place short or medium term IT strategic plan
(3 to 5 years) highlighting the focus of the IT organization, strategic IT projects to
be executed, cost of such projects, budgets and expected short and long term
returns to be gained from the project.
13. Verify that management has clearly outlined goals for the IT department, which
must be measurable and achievable within scope of resources provided to the
IT organization.
14. Ensure that management promotes responsibility among the IT staff for the
success of IT projects.
Page 90 of 296
15. Verify that a scoring technique has been established by management to
measure current performance of all IT systems and processes while the following
key points are monitored: organizational support for the implementation of
projects, risk management responsibilities within the organization, the need for
interdepartmental sharing of business information, and project communication.
16. Verify that management drills down and define the process areas in IT that are
critical to managing high risk areas.
17. Ensure that expectations among IT staff are managed by making it clear while
noting that this is not an overnight process.
18. Verify that management understands the risks associated with IT investment.
Consider the company's previous patterns of performance, current IT staff
qualifications, complexity of IT environment, and the type of new IT initiatives
being considered.
19. Verify that management analyzes current capability and identify gaps. Find out
where improvements are needed most.
20. Verify that management program for IT governance and strategy consists of a
series of continuous improvement phases rather than a one- or two-step
process.
21. Verify that management has decided on which improvement strategies are the
highest priority projects. This decision should be based on the most potential
benefit and ease of implementation of an IT project.
Page 91 of 296
CHAPTER – 7 Audit of Physical and
Environmental Security
Page 92 of 296
Audit Program for Physical and Environmental Security
Audit Objective
The objective of the exercise is to evaluate the adequacy and effectiveness of
controls to minimize the risks of unauthorized access into the organization’s
premises and restricted areas, disruption of operations resulting from power
inadequacies, threat to premises security and the attendant effect of emergency
situations to service availability and human lives in the working area.
Audit Scope
The following areas of the physical and environmental controls as well as power
infrastructure shall be covered:
· Procedures and Controls at the Security Posts and Reception Areas.
· Procedures and Controls at the Generator and Power Farm Areas.
· Close Circuit Viewing and Monitoring System (CCTV).
· Safety and Emergency Procedures and Controls.
· Fire and hazard control, environmental Controls.
· Physical and logical access controls within the premises with focus in the
main processing facility of the organization.
Background Knowledge Required

· Obtain previous internal and external audit report of the subject area.
· Organogram and job descriptions of the physical security team.
· Physical security and environment policies, procedures and guidelines.
· Physical security best practices and regulatory frameworks.
· Result of risk assessment.
· Emergency response plan.
· Emergency drills (fire and environmental awareness) results.
Page 93 of 296
Audit Checklist for Physical and Environmental Security
S/N Audit area Risks Controls Test Procedures

1 Physical Unauthorized Records of Confirm that there are
Security access or entry of vehicles and records of all incoming
Organization vehicles, equipment and outgoing Vehicles,
and equipment or entering the motorcycles and
Administration persons to the premises should be computer equipment
premises and/or kept. (laptops, hard disk, I-pads,
close to etc.).
Restricted areas. Take inventory of cars in
the premises against
recorded cars.
Check to ensure that
registers are maintained
for motorcycles/ dispatch
riders (Staff and Non-staff).
Take on the spot count of
vehicles/motorcycles
within the premises and
compare against records.
An area should be Verify that parking space
mapped out as for staff has been
staff parking mapped out and it’s
space while adequate.
parking space for
senior
management staff Verify that parking space
should also be for management staff has
defined. This is to been provided and only
ensure that used for the designated
restricted areas cadre of staff.
are adequately
protected against
unauthorized
intrusions.
Page 94 of 296
Staff entering the Observe that staff
premises and members who are
other restricted entering the premises from
areas must the main entrance can be
properly identify identified with their ID
themselves with cards and that it is
staff ID cards as conspicuously displayed.
well as
conspicuously
display their ID
cards at the point
of entry.
Verify that visitors’ tags are
being issued to visitors
who have need to access
Visitors must also
the organization’s Head
obtain temporary
office building or premises.
badges or tags
This can be done my
from the reception
identifying a visitor within
desk and such
the premises and
tags must indicate
checking that appropriate
the area(s) within
visitor’s tag was given and
the premises that
conspicuously displayed.
the visitor will
The tags could also serve
access and be
as access cards which
restricted to.
can be used to access
designated floors or office
areas as appropriate.
Information on all Confirm that Visitors
entries including register and tags are
names of visitors, properly recorded and
arrival/departure maintained. Verify records
times, purpose of and do random check on
visit, should be visitors within the premises
recorded and as a confirmation test.
stored in
appropriate form
(e.g. logbooks,
registers, or IT
systems).
Page 95 of 296
Lack of proper Implement Confirm that logbooks or
action when procedures for registers were opened by
intrusion has been reporting cases of the Physical security
detected. intrusion or department for capturing
unauthorized and reporting of security
entries. incidents or breaches.
appropriate information
about possible security
incidents are captured in
the register.
Check/confirm if there are
reported cases of security
incidents or breaches in
the log book maintained
by the Security
Department, which has
not been escalated for
management action.
Confirm that reported
security incidents or
breaches were properly
escalated through the
security reporting lines for
appropriate management
action.
Conduct intrusion Confirm that the Security
tests and record department with the
results and; if approval of the Chief
necessary, Security Officer (CSO)
implement performs intrusion tests on
corrective actions. service men on duty
occasionally and that test
results are documented
for preventive
action/measures.
Page 96 of 296
Inadequate Conduct test on Confirm that the Security
protection of the the integrity of the department in
premises against perimeter fencing conjunction with
external intrusion. of the premises Corporate Services
while planned Department conduct
maintenance and integrity or structural test
repairs are on the perimeter fencing
performed as around the premises if
appropriate. applicable to provide
assurance on their
integrity and structural
strength while failures and
defects are reported for
management’s action.
Inadequate Ensure that only Identify how and where
locking devices authorized keys to specific secure
for external and personnel have areas, offices or rooms are
internal doors, access to keys for kept and in whose
windows and locked building, custody.
gates. sites, rooms, and Confirm that keys are
secure areas. stored securely.
Confirm that there is
adequate procedure
around retrieval of keys to
ensure that only
authorized persons do so
while records of retrievals
are kept for future
reference.
Take periodic Request for evidence that
inventories of locks inventory or stock taking
and keys. of keys to secured areas
are being periodically
conducted.
Ensure that incidences of
missing or
unreturned/unaccounted
keys are reported and
escalated for
management action.
Page 97 of 296
2 Entry Control Inadequate Implemented Identify and classify all
Systems protection of the adequate entry areas within the Head
(Biometric and premises against controls such as Office building or Other
Smartcard) external intrusion. registers, Annex locations into
Security and biometric/smart security zones based on
Biometric and card access the criticality of
CCTV controls information assets or other
Administration. valuable assets within
those areas. For example,
Class A (High security
zone, B (medium security
zone), C (Low security
zone), etc. Zone A could
be executive
management
floors/wings, Treasury
trading/deal room, data
center, card production
areas, head Office vault,
safe custody room for
legal department, HCMD
staff file room, Generator
area, etc. Zone B could
be Office areas where
sensitive organization's
documents are kept in
fireproof cabinets, Car
part, etc. Zone C could be
Staff Canteen/Cafeteria,
Gym room, Clinic,
Reception/Visitor's waiting
room, etc.
Request for the criteria for
determining the kind of
asset that should be
placed on each of the
zones. What is the
minimum requirement for
each security zones?
Page 98 of 296
Based on the classification
of the security zones within
the premises, determine
from the assessment,
which area require access
controls devices such as
biometric or smart card
devices.
Ensure that all areas
warehousing information
assets are properly
restricted and controlled
with access control
devices (biometric or
smart card).
Lack of All entry points, Identify areas within the
monitoring of sensitive and head office that should
entry points, general areas be covered by CCTV that
sensitive and within the are not yet covered.
general areas organization's Identify the areas covered
within premises or premises shall be by the CCTV and
locations where secured and ascertain that the
information assets monitored using coverage is adequate
are kept. appropriate and legible in the CCTV.
control, such as Confirm that there is
CCTV and/or entry continuous monitoring
control system and viewing (24/7) of
(biometric/smart CCTV systems by at least
card access two stationed staff in the
control devices). Control room during peak
(daytime) and off peak
periods (at nights,
weekends and public
holidays) for the purpose
of detecting any intrusion
and unauthorized access
or activities.
Page 99 of 296
Request for report of
security incidents or
breaches that were
captured using the CCTV
systems and verify that
they were escalated for
management action.
Confirm that all installed
cameras are functional
and working as expected.
A functionality test could
be carried out by
members of the security
team in the control room.
Inadequate Record and retain Obtain a sampled
retention of images/footage of playback of CCTV
images/footage all activities footage of areas around
of activities around secured the premises to determine
around the areas and entry that the images/footage
premises for points including are clear and are being
retention period perimeter fencing captured and retained as
as specified in the of the premises appropriate.
information using the CCTV
security policy. system.
Recorded Confirm that a CCTV
images/footages image/video recorder
of activities within (PVR) was installed.
the premises shall Confirm that recovery
be backed up point objective (RPO) and
and retained for recovery time objective
specified periods (RTO) has been defined
of time in line with for CCTV images/footage.
organization data Confirm that CCTV
retention policy, images/footages are
regulatory and being backed up to
security external media in line with
requirement. established RPO and RTO
Page 100 of 296

Ensure that backup
tapes/media of CCTV
images are periodically
tested or restored to
determine that the tapes
are recoverable when
needed in the event of
disaster, system crash or
failure of the recording
equipment.
procedure around
retrieval of backup tapes
to determine that no tape
is lost or stolen due to poor
retrieval procedure or
record keeping.
Confirm that backup
tapes are not stored in the
same location with the
primary processing facility.
Tapes should be stored
securely in an offsite
facility.
Assign Security Confirm that Security
Guards to entry Guards are assigned to
points or secure areas where entry control
areas that without devices and monitoring
adequate systems (e.g. CCTV)
monitoring or entry cannot be feasibly or
control systems. adequately deployed.
Security Guards could also
serve as additional or
compensatory controls in
some circumstances.
Inadequate audit Log all successful Confirm that all biometric
trail for entry entries and and smartcard devices
control devices unsuccessful controlling access to
for use during attempts on the restricted/secure areas
investigation. entry control capture and maintain
devices and access logs of all entries
regularly review for audit trail.
Page 101 of 296
the logs. Confirm that the logs are
backed up in external
media to guarantee their
availability when need for
investigation or in the
event of system crash or
device failure.
Confirm that the external
media are stored in an
approved offsite storage
facility in line with the
organization’s backup
policy.
Confirm that all attempts
to access entry devices
(e.g. biometric &
smartcard devices) by
unauthorized persons are
detected and promptly
investigated to forestall
possible security breach.
security breaches Regularly maintain Request for proof of
arising from poor entry control periodic maintenance of
maintenance of equipment (smart security doors (dead man
entry control card and doors, access control
devices and biometric doors), access control
CCTV equipment. devices), security devices (biometric &
doors in the smart card) and other
premises to entry control equipment
prevent failures/ to ensure that they
breakdowns. function optimally.
Page 102 of 296

Confirm maintenance
contracts and Service
Level Agreement (SLA)
are in place between the
organization and the
equipment vendors to
guarantee continuous
and uninterrupted services
at reasonable cost.

Risk of Document an Confirm that entry control
unauthorized entry control or or key access control
access or key access control procedure has been
escalation of procedure to documented, approved
access rights due guide the access, and communicated to
to uncoordinated maintenance and relevant stakeholders. The
process. retrieval of procedure should guide in
key/access tokens. the assignment,
maintenance, retrieval
and administration of keys
and access tokens (e.g.
smartcard, biometric,
etc.).
Page 103 of 296

Obtain the access control
list of entry control devices
(e.g. biometric and
smartcard devices)
software. Users and
device administrators of
biometric and smartcard
devices within the
premises must be
identified and accounted
for while access are given
based on the need-to-
have and specific areas
to be assigned.
Access to specific Request for the list of staff
areas or sections members who were given
of the premises access to all biometric
must be on the and smartcard devices
need-to-have within the premises and
basis. specific restricted area,
which include all head
office floors, office areas,
executive management
wings, IT section, data
center, power farm,
generator area, etc.
Review the access control
list and ensure that access
to the entry control
devices were granted on
the need-to-do basis.
Irrelevant or unneeded
access should be
recommended for
removal.
Confirm that access to all
the entry control devices
were authorized and
granted in line with the
access control procedure.
Page 104 of 296

Obtain list of ex-staff from
Human Resources
Department and confirm
that all ex-staff that were
previously given access to
biometric/smartcard
devices were promptly
deactivated. Also, access
rights of redeployed/re-
assigned employees
should be re-classified as
appropriate to prevent
instances of unauthorized
access.
Confirm that the
custodians of the entry
control devices (biometric
& smartcard devices)
carry out period (e.g.
Quarterly or monthly)
reviews as stipulated in
policy to ensure that
access are up-to-date
and all access were
authorized.
Retain access logs Confirm that biometric
of all biometric and smartcard devices
and smartcard access logs are backed
devices controlling up to external media and
access to retained in line with
restricted areas organization's data
and reviewed retention policy and
access logs regulatory requirement.
regularly. Confirm that access logs
are reviewed regularly
(e.g. quarterly or monthly)
as stipulated in the policy
to detect and report
security breaches and
unauthorized access for
management action.
Page 105 of 296
3 Safety Security breaches Conduct self- Confirm that the Risk
Procedures due to poor assessment management group has a
and safety awareness regularly to conducted risk/threat
Environmental of staff members confirm level of assessment to identified,
Controls. and vendors organization's document and track risk
working in the preparedness and facing the organization's
organization. note gaps for as it relates to physical
continuous and environmental
improvement. security and safety within
the organization's
premises.
Confirm that the physical
security policy and
procedures are being
reviewed and updated in
line with current realities
and security threats facing
the organization.
Confirm that Risk
Management Group has
identified safety and
security risk that are
inherent in the
organization’s operating
environment and control
necessary to mitigate
those risks.
Confirm that the likelihood
crystallization of the
identified physical security
risk and been ascertained
and ranked/rating in line
with the organization's risk
assessment criteria.

Page 106 of 296
Make sure all the Confirm that risk treatment
relevant risks are plan/Remediation action
covered by (either preventive or
preventive or corrective) has been
corrective drawn up to mitigate if not
measures. eliminate the identified risk
while residual risk arising
from control
ineffectiveness are noted
for acceptance or
continuous improvement
by the organization.
Poor security Appoint qualified Confirm that the role of
management personnel with Chief Security Officer
due to lack of authority to (CSO) has been filled in
leadership and manage and the organization. The CSO
management coordinate all should have sufficient
oversight. physical security authority/mandate to
activities within the coordinate all physical,
organization. environment, emergency
and safety related
activities within the
organization.
Obtain the Organogram
of physical security
department as well as job
descriptions (JDs) of the
CSO and other team
members. Review same to
ensure their adequacy in
meeting the security and
safety strategies and
needs of the organization.
Maintain records Confirm that there is a
of security procedure in place for
incidents and reporting and
ensure they are investigating security
investigated and incidents or breaches
escalate to within the organization.
Page 107 of 296

management for Request for records of
remedial action security incidents reported
where applicable. and escalated for
management action.
Confirm that remedial
actions were taken to
forestall future
reoccurrence.

Security threats Implement safety Confirm that
arising from poor procedures and adequate/robust safety
safety procedures promote practices procedures have been
and practices. that will ensure documented and
safety of lives conspicuously displayed
(personnel & on each of the floors
visitors), within the main building
equipment and and other relevant
information assets. areas/locations within the
premises.
Confirm that fire and
emergency evacuation
procedures have been
documented, tested and
conspicuously displayed in
strategic locations within
the organization's business
premises.
Page 108 of 296

Confirm that Fire Marshals
were appointed to man
each strategic
locations/floors/secure
area within the
organization's premises in
the event of emergency.
Confirm that the Fire
Marshals have job
procedures and have
been adequately trained
on what to do and how to
respond to all forms of
emergencies when the
need arises.
Confirm that fire kits and
other relevant tools have
been provided to them to
aid the discharge of their
duties. Request to see
their fire kits.
Take inventory of the fire
equipment (e.g. fire
extinguishers, FM200
systems, smoke/heat
detectors) within the
premises. Confirm that the
expiry dates of the
extinguishers’ contents
were displayed on the
body of the devices and
ensure that their contents
have not expired.
Page 109 of 296

Confirm that all fire
equipment (extinguishers,
FM200, smoke/heat
detectors, batteries,
nuzzles, etc.) are promptly
maintained/services in line
with their respective OEM's
service requirement to
assure optimal function.
All non-serviced fire
equipment should be
escalated for
management action.
Confirm that all fire
equipment (extinguishers,
FM200, smoke/heat
detectors, batteries,
nuzzles, etc.) are tested to
ensure that they are in
good working condition
and will be useful when
needed. Obtain report on
the outcome of the tests
carried out as audit
evidence.
Verify that fire/emergency
drills are being carried out
as scheduled. Obtain
schedule of emergency
drills plan for the calendar
year including locations of
the drills to ensure that
they are adequate and
meet safety requirement/
procedure. Determine the
frequency of this exercise
and ensure that there are
adequate
documentations/records
for outcomes of the
previous exercises.
Page 110 of 296

Confirm the average time
it took for the last person
to exit the building from
records/reports of
emergency/fire drills
carried out. Where the
time is longer that the
defined duration in the
policy, confirm that
management attention
was drawn to the
outcome of the drills and
necessary actions were
taken to forestall
reoccurrence.
Page 111 of 296

CHAPTER – 8 Audit of Windows
Infrastructure, Intranet and Internet Security
Page 112 of 296

Audit Program for Windows Infrastructure, Intranet and Internet Security
Introduction
The in-depth, authoritative reference for intermediate to advanced IT Audit and IT
Security professionals.
Following reports of Denial-of-Service attacks and data breaches on large
corporation around the world in recent times and its attendant impact on business
operations, the need to ensure security of the intranet and internet environment
cannot be overemphasized. Considering the widespread use of Windows
Operating Systems and other associated services, there is obvious need to ensure
security of Windows infrastructure by implementing good internal control systems,
enterprise policies as well as promotion of best practices and user awareness
within the operating environment. Auditors and other IT Assurance professionals
are duty bound to ensure the security of all enterprise systems by instituting a
robust internal audit and security assessment process for continuous improvement
of good security practices.
This section provides insight to IT Assurance professionals (Information Systems

Auditors, Information Systems Controllers, IT/IS Security and IT/IS Risk professionals)
on how to successfully conduct audit or security review of Windows infrastructure,
intranet and internet network of their organizations. Windows infrastructure are not
limited to the Active Directory/Domain Controller, Exchange Server, TMG/ISA
Server, Windows Servers and Workstations, Skype for Business Server, Virtualization
Server and DNS Servers. This exhaustive and comprehensive audit program
provides a step by step guide on assessing an organization’s intranet and internet
security.
Vulnerabilities inherent in Windows infrastructure (servers and services) was

assessed in conjunction with their implications on confidentiality, integrity and
availability of information assets. Detailed audit test procedure to identify those
vulnerabilities and control gaps were provided in the section. The audit program
covered enterprise policies (IT Security policy, password policy, acceptable use of
computer assets policy, network policy, etc.), system administration, baseline
Page 113 of 296
configuration for Windows infrastructure, logical access control and
authentication, group policy object (GPO) settings, change management,
enterprise log management and correlation, patch management, endpoint
management, vulnerability management, virus control, virtualization, domain
administration, instant messaging and email services, backup and archiving
services, spam control, bring-you-own-device policy and administration, among
others.
Audit Objective
The objective of the exercise is to evaluate the effectiveness and efficiency of
controls in place to minimize service disruption and risk of unauthorized access to
the organization’s Windows enterprise systems, servers and workstations.
Audit Scope
The audit program covers enterprise systems (e.g. Active Directory, Exchange
server, Enterprise backup solution, Skype for Business solution, Endpoint solution,
Virtualized Infrastructure, etc.), Windows servers, Windows workstations, intranet
and internet security. Specific attention will be paid to the following areas:
· Policies, Procedures and Guidelines for Systems Administration.

· Security & Controls of the Active Directory & other Windows Infrastructure.
· Authentication and logical access control to network resources.
· Servers and Workstations Configuration Management.
· Virus Control.
· Separation of Duties.
· Security & Controls for intranet email (Exchange server), Proxy/ISA, DNS, FTP,
IIS & DMZ.
· Group policy settings & deployment.
· Change Management.
· Endpoint management.
· Backup & Archiving.
· Vulnerability and patch management.
· Remote Management of Servers and Workstations.
· Problem & Security Incident Management.
· Log management, monitoring and correlation.
· Software Licensing Controls.
Background Knowledge Gathering

· Previous internal and external audit reports.
Page 114 of 296
· Policies and procedures.
· IT Security policy.
S/N Audit area Test Procedure Implication Source of audit
Evidence
· System administration manual.

· Data center procedural manual.
· Organogram and job descriptions.
· Risk Assessment.
Page 115 of 296

1. Policies, Verify the existence of Lack of policies and Documentations.
Procedures relevant policies and procedure manuals
and procedures on the for system
Administration. administration of administration
enterprise systems function could lead to
(Domain non-uniformity and
controller/active non-standardization
directory, Exchange of processes or abuse,
server/Lotus Note, VM which could
ware, other Windows compromise system
servers and security.
workstations).
Verify the existence of Lack of policies and Documentations.
computer acceptable procedure manuals
use of computer assets for system
policy, clear desk administration
policy, change function could lead to
management policy non-uniformity and
and IT security policy, non-standardization
Configuration of processes or abuse,
management policy, which could
etc. compromise system
security.
Verify that the above Lack of SharePoint
stated policies and communication and access to the
procedures were sensitization of users policy and
communicated to users on the policies and procedure
who may need them procedures that manuals.
by ensuring that they affected them could
are hosted in the lead to abuse or
company’s intranet misuse of information
portal (SharePoint) and assets.
are accessible to staff
members.
Verify that the policy Lack of proper Documentations.
and procedure classification of the
documents as stated documents is a
above are classified breach of the
and versioned organization
accordingly in line with information security
ISO 27001 ISMS and classification
information guideline, which
Page 116 of 296
classification guideline. could lead to
This is to ensure that unauthorized access
they are protected and to information.
accessed on the need
to know basis.
Verify that there is Change Documentations.
established procedure management.
for periodic review and
update of policies and
procedures to reflect
changes in systems,
operations and
processes.
2. Change Verify that change Non-existence of Change

Management. management policies change management
and procedures for management policies policy
system administration is and procedural for documents.
in place, which is system administration
expected to address function could lead to
change procedure, unauthorized
impact of changes and changes not being
prescribe failover detected.
procedures.
Verify the existence of a Lack of properly Change
change management definite change management
process that ensure that management process request form.
all changes initiated by could lead to
process owners or users perpetration of
are approved by unauthorized
relevant authorities and changes.
are properly tested with
relevant stakeholders
before implementation
in production
environment.
Verify that history of Lack of audit trail. Change
changes to critical management
enterprise systems (e.g. request form.
domain controllers/AD,
Windows servers) are
being documented
Page 117 of 296
captured. Also Verify
that critical changes to
be implemented on
servers, DC, Exchange
server are duly tested
and authorized by
relevant stakeholders.
Confirm that the
organization has a
robust file integrity
monitoring tool (e.g.
Tripwire) to capture
changes on servers and
application enrolled on
them for audit trail.
Verify that log of Lack of audit trail as Log review.
changes to critical well as risk of
enterprise systems are unauthorized
captured and retained changes not being
in storage facilities. detected.
Verify that the log of
changes to the group
policy settings of the
domain controllers are
captured by Arcsight
log management and
correlation solution for
reference purposes. For
the period under
review, request for such
log and verify the
reason for changes in
the default domain
policy settings with
relevant approvals.
Ascertain from the Risk of unauthorized Change
documented copy of changes not being management
the change detected. procedural
management manual.
procedure if they
contain the following:
Change Management
Page 118 of 296
Workflows,
Responsibilities,
Deliverables, Specific
timelines for reviewing
and scheduling planed
changes, Specific
timelines for retention of
historical records,
Handling of all
changes, including
change back-outs, etc.
Verify that the change Risk of unauthorized Change
request form is changes not being management
adequate and detected as well as request form.
captured details of lack of proper
changes (such as change approvals.
requesters’ name,
department, signature,
reason for change, list
of modules that need
to be changed,
Supervisor's name,
Supervisor's approval)
Also ensure that IS
CONTROL Unit’s
consent are obtained
(changes must be
approved by someone
other than the
requester).
3. Security Verify the services and Poor vulnerability System

Administration. ports that have been management and configuration
enabled on the Domain assessment. reports.
controller (DC) and
other critical servers.
Verify that port
assignment and
administration
promotes system
security and availability
while ensuring that
Page 119 of 296
known or default ports
are not used.
Verify that ex- Unauthorized access Active directory
staff/disengaged staff to the organizations and Exchange
of the organization intranet network and Server.
have been disabled on email facility. The ex-
the network (Active staff have access to
Directory, email server the entire
as well as other systems organization’s
where they have initially internally restricted
been granted access. communications to
members of staff.
Verify the integrity of Risk of confidentiality Active directory
the Domain and integrity of and Exchange
controllers/Active information assets. Server.
Directory by matching Giving duplicate
list of active users with account to an
current staff list from individual for access
Human Resources to enterprise systems
department. Ensure (e.g. email, domain
that all users are network, etc.) is a
authorized and there violation of access
are no duplicated or control procedure.
generic accounts. Also,
verify administrators
given access to the DC
to ensure that they are
authorized.
Verify that access to Access to System
unauthorized websites unauthorized websites configuration
are restricted/blocked and domains could report.
from network users exposure the
using a robust and organization to
licensed web blocker possible attacks as
software. Also, verify well as could distract
that users’ staff members from
actions/activities on the their jobs and
organization’s domain responsibilities.
are effectively
monitored and
controlled centrally
through the group
Page 120 of 296
domain policies.
Verify that prompt Risk of service Interview.
preventive disruption.
maintenance is carried
out on critical enterprise
servers to ensure that
impeding faults or
failures are detected
and prevented before
it results to system
failure or downtime.
Verify that workstation Difficulty in enforcing AD workstation
hostnames conform to domain group policies list.
approve naming and controls as well
convention established as ease of centralized
by system administration.
administration unit and
that all server and
workstations on the
network are integrated
and centrally managed
from the domain
controller.
Verify that all Windows Difficulty in enforcing McAfee EPO
servers and workstations domain group policies performance
on the network are and other required report (rogue)
joined to the domain system controls that and AD
and monitored will ensure security. workstation list.
centrally from the
domain controller.
Verify that default local Risk of hackers or Server
administrator account malicious users administration
on all Windows servers gaining access to the report.
have been renamed servers in the event of
and ensure that compromise.
administrators do not
frequently make use of
the local machine
administrator account
but their individual user
accounts.
Verify that proper Risk of unauthorized Interview and
Page 121 of 296
separation of duties is access and creation system review.
being enforced in the fictitious accounts on
user management of the AD.
active
directory/domain
controller to allow
relevant departments
like HR & Systems
Control units to
participate in the user
management process
(account creation,
account activation,
password reset and
account deletion).
System administration
unit are only authorized
to create, reset and
delete user that have
been vetted by HR and
IS Control unit.
Verify the existence of Lack of procedure Computer assets
computer asset and guidelines on disposal policy.
disposal policy and computer asset
procedure. Confirm disposal could lead to
that they are being disposal of wrong
following in the assets and disposal of
disposition of computer computer assets with
assets. vital business
information, which
could be stolen or
used by a third party.
Review the security logs System incident System
of the following servers management and evidence.
to detect possible audit trail.
security
incidents/violations:
(web servers/IIS, GFI,
Email Exchange server,
Domain Controller, High
Risk member servers).
Obtain and review all Security and services Documented
Page 122 of 296
vendor contracts and breach duet to SLAs.
service level unenforceable
agreements, to identify Service level
the responsibilities for agreement (SLA).
preventive
maintenance.
Determine whether
preventive
maintenance is
performed as required.
Ensure that security
and performance
clauses are included
and being enforced.
Ensure that all service System support. Documentations.
vendors on contract
have the relevant
expertise and
capabilities provide
support service as
contracted in the
prompt manner. Verify
that vendor
performance is
monitored.
Review the Log (SYSTEM Lack of responsibility, System review.
and SECURITY) for accountability and
entries made by non-repudiation of
privileged account actions of super users
such as and administrators.
Enterprise_Admin,
Domain Admin, and
SYSTEM. Ensure that
their usage is
authorized.
Match the actual Wastage of limited McAfee EPO
number of workstations system resources. performance
on the network with the report, Domain
record of the domain controller
controller (DC) database &
database. Verify that Record of
both records agree and deployed
Page 123 of 296
ensure that the DC is systems from
not clogged with non- Infrastructure
existing terminals, which department.
exacts administrative
overhead of the
Domain Controller.
4. Log Verify that security logs Audit trail. System logs.

Management. of all enterprise and
Windows servers are
been captured,
retained and reviewed
regularly. Request for
evidence of review and
escalation of security
incidents. Verify that
default log size and
overwrite settings to
ensure that logs are
retained.
Verify that activities of Audit trail. System report.
privilege users and
system administrators
are being logged for
audit trail.
5. Logical Verify that password Risk of brute force Active directory

Access policy implemented in attacks. and domain
Controls. the domain controller
controller/active password
directory conform to configuration.
the organization’s
password policy. Also,
verify that the following
password complexity
requirements are met in
line with the password
policy: aging, reuse
and history, complexity
(alphanumeric and
special characters),
account lockouts/failed
Page 124 of 296
attempts, etc.
Obtain list of users Risk of unauthorized Active directory
created on the active access. access control
directory, Exchange list.
server and member
servers and verify that
all users were
authorized and
authenticated via a
chosen password.
Obtain list of groups, Vulnerability that Domain
system or service could give escalated controller
accounts created on privilege or rights to configuration.
the domain unauthorized
controller/AD servers individuals/staff
and ensure that all members on the
accounts were properly organizations
authorized. Ensure that enterprise systems.
SYSTEM group contains
no users (including
administrative users).
Confirm that only
system administrators
were defined in the
Domain Admin group
ONLY.
Verify that all unwanted Risk of unauthorized Domain
accounts are either access. controller
disabled or deleted configuration.
(e.g. guest account).
Verify that access to
system files is restricted
to protect them from
unauthorized access or
modifications.
Verify that automatic Risk of file or data Domain
data integrity checks modification or controller
are performed on all file corruption. configuration.
downloads and
uploads (i.e. FTP and
TFTP activities).
Verify that account Risk of password Active directory
Page 125 of 296
lockout control is guessing or brute and domain
implemented on all force attack. controller
enterprise password
systems/servers via the configuration
active directory in line
with the IT Security
policy to limit password
guessing or brute force
attack. Accounts that
performed unsuccessful
login after the third
attempts shall be
locked out to prevent
further attempts or
brute force on the
system. However, they
can also be reset by
the System
Administrators in line
with the policy.
Verify that security Lack of management Domain
violation reports are information and controller
reviewed and action in the event of configuration
escalated to unauthorized activities
management where or security breaches.
breaches were noted
for management
action and
improvement.
Examine utilization Loss of capacity or Server capacity
reports to determine service degradation plan and
the times of peak due to lack of management
resource demand on monitoring of system report from
the network for capacity for load monitoring tools
adequate resource balancing. for example,
and capacity planning. Appmanager,
ManageEngine,
etc.
Request for user Risk of unauthorized IT Security Policy,
registration and de- access. Access Control
registration procedure Procedure.
for system (servers,
Page 126 of 296
workstation, network
devices and mobile
handhelds). Ensure that
they registration and
de-registration
procedure addresses all
information security
requirements as
elucidated in the
policy.
Obtain list of users Risk of unauthorized IT Security Policy,
created on the access. Access Control
organization’s active Procedure, AD
directory and given user access list.
access to several
systems and servers in
the network and
confirm that the
process stipulated in
the policy was
followed. Verify that
necessary
authorizations were
obtained from relevant
stakeholders before
access were granted to
users or administrators
alike.
Obtain list of exited staff Risk of unauthorized Access Control
members within the access. Procedure, AD
period under review user access list,
from Human Resources current and ex-
department and staff list from
confirm that their Human
access on the active Resources
directory and other Department.
associated systems
have been revoked in
line with information
security policy.
Obtain and review the Risk of unauthorized IT Security Policy,
Page 127 of 296
active directory users access. Access Control
and administrators’ Procedure, AD
access list to ensure user access list.
that access where
granted on the need-
to-have basis and in
line with their job
functions. Cases of
escalated privileges
(i.e. access creep)
should be noted for
immediate correction
while User Access
Management team are
to provide explanation
for such access creep
were applicable.
Confirm that generic Risk of unauthorized AD Access
accounts are not being access. control list.
assigned to users or
administrators. All users
should be assigned
unique user ids with
which to access the
system with. All user
accounts must have
passwords to ensure
accountability and
responsibility by all
users.
6. Business Verify that users’ Loss of critical System backup files

Continuity, conversations on Lync organization’s data in and backup records
Disaster chat (now Skype for the event of system both onsite and
Recovery and Business) or lotus crash or disaster offsite (backup
Backup. application are backed affection the main register or card).
up externally and processing facility.
stored offsite.
Verify that the Loss of email and System backup files
organization has email critical organization’s and backup records
usage and retention data in the event of both onsite and
policy. Check the system crash or offsite (backup
Page 128 of 296
architecture of the disaster affection the register or card).
email system being main processing
used to ensure facility.
redundancy,
categorization/prioritiza
tion of email accounts
(EXCO, Senior
management, middle
management, etc.),
storage requirement
and partitioning. Verify
that external backup of
staff emails is taken and
stored offsite.
Verify that a disaster Risk of prolonged Interview.
recovery site has been downtime and
established for the unavailability of
continuity and recovery critical business
of critical enterprise services or
business services, applications in the
servers and event of system crash
applications in the or disaster recovery
event of system crash affecting the main
or disaster affecting the facility.
main facility
Review the procedure Loss of critical data in Documentations.
for the creation and the event of system
recycling of backup crash or disaster
media (disks/drives and affection the main
tapes). Determine that processing facility.
backup procedure
provides for the ability
to adequately recover:
Operating systems,
transaction data
(databases), system
utilities, application
programs.
Verify that daily backup Loss of critical data in No documentary
is carried out for all the event of system evidence.
critical server and crash or disaster
applications. Verify that affection the main
Page 129 of 296
backup data files are processing facility.
tested for readability on
a planned basis by
restoring them in
designated
environments.
Review the tape Risk of tape Observation.
management misplacement and
procedure to substitution because
determine whether of poor
accurate inventory of documentation and
tapes is kept and labeling.
proper labeling of
tapes media are done
to prevent wrong
submission or
substitution of tapes.
Assess the tape storage
area to ascertain if
there is adequate
security and access
control.
7. Vulnerability Verify that computers Risk of system Domain

Management. on the network are vulnerability or breach controller group
monitored and that could result from policy
controlled centrally the installation of setting/configura
from the domain unlicensed/unauthoriz tion.
controller and that ed software.
restriction on the
installation of software
are enforced to
prevent the installation
of
unlicensed/unauthorize
d software.
Verify that rules have Risk of virus and denial Microsoft System
been setup on of access attacks Centre.
Antivirus/anti-spyware arising from malware
(McAfee antivirus) and other system
server to prevent vulnerabilities.
malware attacks and
Page 130 of 296
ensure that the server
vulnerability database is
updated whenever
signature files and
engine (DAT) is
available from the
software vendor
Are there workstations Risk of spread of virus System
and servers on the and malware on the evidence.
network using anti-virus network.
software that are not
approved by the
organization? Are there
controls to detect
workstations and servers
on the network that
antivirus software was
not installed?
Verify the existence of Risk of vulnerability System
procedure for patch resulting from lack of evidence.
administration and application of
management for patches for windows
Windows infrastructure. operating
Check the cycle systems/infrastructure.
established for windows
update and verify that
they are adequate and
promptly distributed on
the network to all
servers and
workstations. Isolate
workstations and servers
that do not receive
updates on the network
from the anti-
virus/endpoint server
(McAfee ePO). Ensure
that the Windows
update server
(Microsoft System
Centre) for proper
configuration.
Page 131 of 296
Review the Poor Log of
problem/incident problems/incident problem/inciden
reporting/resolution management could t management
tracking system and lead to system from
determine if disruption and service system/applicati
•Problems/incidents are failure. on.
appropriately logged
and prioritized.
•Corrective measures
are implemented in a
timely manner.
•Management
reporting procedures
are adequate.
8. Active Request for the security Lack of baseline Documented

Directory baseline configuration configuration for the security baseline
Server document for Windows Active Directory (AD) configuration.
(Domain Infrastructure (including could lead to setup of
Controller) Active vulnerable/weak DC,
Controls Directory/Domain which could be
Controller servers, exploited to hurt the
Windows member organization.
servers, Windows
workstations) and
ensure that they
adequately address the
organization’s
requirement for
and control
requirements.
Compare the Risk of poorly Baseline
configuration on the configured system, configuration
Domain Controller (DC) which could expose document and
servers with those the company to AD default
documented in the security breach. domain policies.
security baseline
configuration
document or standard
operating procedure
(SOP) for Windows
Page 132 of 296
infrastructure. Highlight
variations/exceptions
and confirm reasons for
the variations from the
Systems Administration
team. Ensure that all
security policies as
documented are
implemented and
being enforced.
Review the Default System vulnerability Active directory
Domain Group Policy and risk of (AD) GPO
(GPO) settings as well unauthorized access setting.
as specific policies due to poor
targeted at specific configuration of the
systems or group of active directory group
systems on the Active policy objects.
Directory servers and
ensure that they
address all requirement
for security and
confidentiality of
information assets of
the organization. Also,
review policies create
for specific
Organizational Unit
(OU’s) and ensure that
they are adequate for
security. Some of
general policies are
account authentication
mechanism and
technology (Kerberos),
account lockout,
Windows services like
Remote Registry (RR),
Remote procedure Call
(RPC), Windows
Management
Instrumentation (WMI),
object change logging,
Page 133 of 296

account/event log,
GPO, password
requirement and
complexity settings, etc.
Verify that all Inability to properly Active Directory
workstations and servers identify workstations system tree list.
on the AD have been and servers on the
enrolled with unique network for
naming convention for accountability and
ease of identification. investigation when
Naming can be based the need arises.
on their location or
business units where
they are used.
Confirm that systems Risk of unauthorized List of systems not
not joined to the access and abuse of joint to the
organization’s domain network resources for organization
network are not fraudulent purposes. domain network,
allowed to connect to which can be
the network or use any fetched from
network resources NAC solution or
(including acquiring IP on the AD.
address). As a matter of
fact, self-owned PC or
personal digital
assistance (PDAs)
should not be allowed
on the network without
proper authorization.
The organization can
deploy a robust
Network Access Control
(NAC) solution such as
Portnox NAC to
effectively control and
restrict access to the
network and its
resources.
Confirm that the Risk of unauthorized BYOD policy and
organization has a Bring access and procedure as
Your Own Device introduction of well as evidence
(BYOD) policy that malicious software of monitoring
Page 134 of 296
guide the use of self- (malware) into the and
owned PCs and PDAs network from self- enforcement of
on the organization owned-PCs and PDAs, BYOD rules on
network to ensure which could hurt the self-owned PCs
security and prevent organization. and PDAs using
abuse/misuse or Endpoint
unauthorized use of management
information assets as tools (such as
well as other associated McAfee ePO)
vulnerabilities. and active
directory.
Confirm that the Risk of unauthorized BYOD policy and
environment on the access and procedure as
Active introduction of well as evidence
Directory/Domain malicious software of monitoring
Controller (AD/DC) (malware) into the and
where BYOD terminals network from self- enforcement of
are to connect to have owned devices (PCs BYOD rules on
been provisioned and and PDAs), which self-owned PCs
relevant rules applied could hurt the and PDAs using
to restrict and control organization. Endpoint
access as well as management
enforce BYOD rules for tools (such as
ensure compliance of McAfee ePO)
self-owned PCs and and active
PDAs for effective directory.
monitoring and security.
Verify the number of Lack of load Active
active Domain balancing and directory/domai
Controller (DC) servers redundancy in the DC n controller
installed on the network architecture could configuration
and ensure that they lead to failures and and resource
are adequate in downtime when reports.
balancing the load in fewer DCs are
the network based on overloaded/overutiliz
the number of users ed as against when
and the DC servers are
workstations/servers adequate to support
accessing resources on demands on the
the network. Such loads organization’s
are number of network network.
users, number of PCs
Page 135 of 296
(workstations), number
of servers, etc. For
example, in a network
of 7000 users and 6500
workstations and
servers, an average of
four Domain Controllers
may be needed to
balance the load or
demand for resources
on the network. Confirm
that the DC servers are
connected in a manner
that will ensure
redundancy and high
availability in the
network (primary and
secondary connected
in mesh network
connection).
Identify staff of Systems Risk of abuse of Active
Administration administrative directory/domai
team/department that privileges because of n controller
have Domain Admin lack of segregation of configuration,
privilege on the Active duties/rights on the account access
Directory/DC. Ensure network. logs and group
that their regular policy change
network access logs.
account (same for
every other members of
staff) is different from
the account they use to
administer the domain
(i.e. Domain Admin
account). For example,
accounts used to
access the enterprise
network resource such
as, login rights on the
network, access to
email, etc., is different
from the accounts used
Page 136 of 296

to access the domain
controller (AD) for
performing
administrative/super
user functions on the
servers.
Confirm that Domain Risk of abuse of Active
Admin privilege administrative directory/domai
accounts are only used privileges because of n controller
for administration lack of segregation of configuration,
purposes when the duties/rights on the account access
need arise and not for network. logs and group
daily network access. policy change
logs.
Confirm that Domain Risk of abuse of Active
Admin privilege administrative directory/domai
accounts are only used privileges because of n controller
for administration lack of segregation of configuration,
purposes when the duties/rights on the account access
need arise and not for network. logs and group
daily network access. policy change
logs.
Controller. Risk of unauthorized System review
Enterprise_Admin access, abuse of and interview of
account is the highest admin privileges and responsible
privileged account in lack of checks and Officers.
the Active balances if its use is
Directory/Domain abused or in the
Controller servers. It is event that the
the owner of the server. password to the
Confirm that the account is not
password to this dualized.
account has been
dualized between the
Systems Administration
team and Systems
Control team to ensure
checks and balances
and prevent abuse. The
copies of the password
should also be securely
sent/warehouse in the
Page 137 of 296
offsite storage facility or
in a fire proof cabinet
to ensure it is available
and accessible when
needed. Note: this is the
only account that can
be used to recover or
access the system
when everything has
failed (i.e. account of
the last resort).
Confirm that the Lack of adequate System review,
organization deployed audit trail as well as audit/event logs
a robust log risk of System
management and Administrators
correlation solution like deleting logs of their
Arcsight to collect activities if the logs
Active are not
Directory/Domain independently
Controller (AD/DC) logs warehoused in a tool
as they occur and like Arcsight.
independently store
them for investigation
purpose when the need
arises.
Confirm that logs of the Lack of vital audit trail System review,
Active Directory have of users and audit/event logs
been enabled to administrators’ of users and
capture Users and activities. administrators.
Administrators’ activities
in the system for audit
trail. Such logs are not
limited to account
event log, policy object
change log, event log,
successful and failed
login access log, etc.
Ensure that there is user Risk of unauthorized Access control
registration and access. policy and
deregistration procedure, user
procedure in the access list, and
administration and access logs.
Page 138 of 296
access on the Active
Directory servers.
procedure of
deactivating
disengaged staff
members as well as
those on vacation from
the system to prevent
them from gain
unauthorized access.
Verify the existence of Lack of uniform and Security baseline
security baseline standard configuration
configurations configuration for documents and
document for workstations could standard
installation of lead to poorly operating
PCs/workstations (i.e. configured systems, as procedure.
Windows desktops, such resulting to
laptops and PDAs) to compromise of
ensure uniformity of security of systems in
configuration and the organization’s
enforcement of security network with its
standard as required by attendant effect on
the organization. the confidentiality,
Request for the integrity and
checklist used in setting availability of
up new workstations to information assets.
confirm its adequacy.
Verify the existence of Lack of uniform and Security baseline
security baseline standard configuration
configurations configuration for documents and
document for enterprise servers standard
installation of enterprise could lead to poorly operating
servers (Windows configured systems, as procedure.
Servers, virtual such resulting to
machines/virtualized compromise of
infrastructure, UNIX/AIX security of enterprise
and Linux) to ensure servers in the
uniformity of organization’s
configuration and network with its
enforcement of security attendant effect on
standard as required by the confidentiality,
Page 139 of 296
the organization. integrity and
Request for the availability of
checklist used in setting information assets.
up new servers to
confirm adequacy.
Verify that there are Acquisition of Hardware
hardware security substandard systems security baseline
baseline specifications could lead to configuration
(for disk space, performance documents.
memory, processor degradation and
type & speed, system system capacity issues
brand) for Windows leading to low
infrastructure (servers productivity and
and workstations) for inefficiency that will
acquisition purposes. impact negatively on
Ensure that there is a the business
procedure in place to operations.
verify these
specifications before a
system in purchased
and deployed on the
network.
Verify that no account RAS dial-in results to Active directory
on the network are vulnerability that group policy
enabled for Remote could cause object settings
Access Service (RAS) unauthorized persons report.
dial-in. (members of staff or
external parties) to
access the
organization’s systems
remotely either within
or outside the
network.
Verify that the security Vulnerable system Active directory
features enabled or configuration could group policy
disabled on lead to compromise object settings
workstations are of security for systems report.
adequate. Verify that (workstation and
the following settings in servers) on the
the default group network.
policy were disabled to
ensure adequate
Page 140 of 296
system security: “access
this computer
remotely”, “add
workstation to the
domain”, “store
password using
reversible encryption”.
Note that default group
policy objects apply to
everyone/all users on
the network.
Verify the services that Vulnerable system Active directory
were enabled on the configuration could group policy
organization’s Windows lead to compromise object settings
servers and the Active of security for systems report.
Directory/Domain (workstation and
Controllers. Ensure that servers) on the
the following vulnerable network.
services and settings
were disabled before
deployment; web
(www) publishing
service, FTP publishing
service, telnet service,
SMTP, Net meeting,
remote desktop
sharing, routing and
remote access, terminal
services, windows
media, indexing
service, etc.
Verify that the group Vulnerable system Active directory

policy object configuration could group policy
configured in the lead to compromise object settings
Domain Controllers of security for systems report.
(DC) are used to (workstation and
effectively control the servers) on the
organization’s systems network.
(servers & workstations)
and other network
resources. Also, verify
Page 141 of 296
that the following
defective group policy
settings were disabled
to ensure systems
security: block policy
inheritance, no override
or disabled, computer
configuration, user
configuration,
Authenticated users do
not have read and
apply group policy
access set.
Verify that the following Documenting the Active directory
Windows system above mentioned will group policy
configuration files were lead to effective object settings
documented: documentations and report.
hardcopy or in server audit trail.
directories: Windows
system security
management, File and
Object security
management, Windows
Network security
management, Server
Fault management.
9. Endpoint Confirm that the Lack of endpoint Evidence of

Management organization has management and deployment of
and Data Loss deployed a robust data loss prevention endpoint solution
Prevent (DLP). endpoint management solutions increases the as well as
solution for the risk of spread of virus independent
administration of all end and malware on the system review.
points, for example network.
McAfee e-Policy
Orchestrator (ePO),
Norton Symantec Anti-
Malware solution, Trend
Micro Solution.
Ensure that antivirus Lack of antivirus and Evidence of
and antispyware antipyware software deployment of
software as well as their and their agents antivirus,
Page 142 of 296
Agents have been increases the risk of antispyware and
installed on all spread of virus and their agents on
workstations and servers malware on the the network.
for the detection and network. Obtain report
control of malware from the
(spyware, virus, Trojan, endpoint
etc.). management
solution as well
as independent
system review.
Ensure that all systems Lack of application of List of systems
are enrolled on the updates and patches enrolled on the
endpoint solution for antivirus and endpoint
(McAfee EPO or Norton antipyware software management
Symantec solutions) as well as installation solution/data loss
and latest updates and of latest versions of prevention tools.
patches are received their agents increases
and deployed to all the risk of spread of
connected systems. virus and other
malware on the
network.
Confirm that the Risk of attacks and Obtain
endpoint management system breach due to vulnerability
solutions (e.g. McAfee) the use of report from the
Agents that are no unsupported endpoint
longer supported by endpoint solution management
the software vendor are agents. This could solution (e.g.
removed and lead to non- McAfee ePO).
upgraded accordingly. download of updates The report will
and patches, which show systems on
will not ensure the network and
protection for the the versions of
affected host systems. endpoint agents
installed in them.
Compare this list
with the versions
of endpoint
agents advised
by the solution
owners on their
website. Note
versions that are
Page 143 of 296
already out of
support (i.e. end-
of-life) extract
exceptions.
Ensure that “Rogue” Allowing rogue Obtain list of
systems (i.e. systems systems in the network rogue systems
that do not have any increases the risk of (systems without
endpoint solution spread of virus and McAfee agents
agents installed in malware on the installed) from
them) are kept at the network and exposes the endpoint
minimal level across the the organization to management
network. Rogue systems attacks. solution and
according to McAfee note rogue
definition are those system for
systems that do not immediate
have any McAfee regularization.
Agent installed on
them. The ePO
vulnerability checks on
the network detects
such systems as rogue
and report same
accordingly. In a large
network that are
geographically
dispersed, having
Rogue systems could
occur from time to time
due to some support
reasons (such as
reinstalled/reformatted
systems put on the
network without
endpoint agents
installed, use of self-
owned PCs or PDAs on
the network. As such,
the Endpoint
Administrator should
ensure that this is
minimized.
Review the Risk of confidentiality, Obtain copy of
Page 144 of 296
organization’s integrity and the acceptable
Acceptable Use of availability of use of
Information Assets information assets information asset
policy and ensure that arising from exposures policy as well as
they adequately from the internet corresponding
protect the where users could visit configuration
organization from vulnerable/malicious made in the
information security sites where malware endpoint
related incidents. (viruses, spyware, management
Where there is provision Trojan or ransomware, solution or other
for restriction on the use etc.) could be security
of internet downloaded into the monitoring tools
(surfing/browsing), USB, network. Also, USB, to confirm
memory card slots and memory card slot and compliance with
CD drives during CD drives could be the policy.
working hours, used to steal
necessary configuration confidential
should be implemented information or
in the Endpoint solution introduce
to enforce these malicious/unauthorize
restrictions for d software/programs
compliance with the into the network at
policy. the detriment of the
organization.
Confirm if there are Risk of attacks and Obtain report
specific tools or system breach arising from the
software whose use are from the use of endpoint
prohibited or blacklisted or management
controlled/restricted on potentially unwanted solution on the
the network. Such tools programs (PUPs). breaches
or software are not recorded in the
limited to TeamViewer, network within
Dameware, Wireshark, the period under
Password Cracker, etc. review. Also,
Ensure that rules are ensure that
setup on the Endpoint necessary
system to monitor and alerts/triggers
enforce compliance on have been point
the usage of these tools in place to notify
on the network if the
blacklisted. In the event Administrators or
that they are detected, concern persons
Page 145 of 296

confirm that necessary of any breach
management approval for immediate
was obtained before management
use. Otherwise escalate action.
for management
action and meting of
sanctions where
applicable. Note: the
above-mentioned tools
are important remote
support tools used in
the industry but cases
of their abuse have
been reported. As such,
it is the duty of
management to review
these tools and
ascertain if they are to
be allowed in the
network or not based
on need. Where
business exigencies
require them,
appropriate approval
should be obtained
before usage.
Confirm that the Risk of stealing the Obtain
acceptable use of organizations’ configuration
information asset policy confidential report from the
is clear on the use of information or (ISA/TMG/Proxy
unofficial/external trade/business secrets server) on the
emails (e.g. Yahoo mail, via private/external breaches
Gmail, etc.) on the emails not hosted by recorded in the
organization email. It the organization with network within
has been noted that its attendant impact the period under
these external emails of information review. Also,
are been used to steal security. confirm that the
organization’s configuration is
confidential information adequate and
and/or trade secrets for ensure restriction
private use of disclosed of
to competition. As such, external/private
Page 146 of 296

it is the duty of emails on the
management or those network. Ensure
responses for that necessary
information security alerts/triggers
within the organization have been point
to be clear on the use in place to notify
of private/external the
emails. Where it has Administrators or
been prohibited by the concern persons
organization in its of any breach
acceptable use of for immediate
information asset management
policy, necessary action.
configuration should be
put in place on the
network (ISA/TMG/Proxy
server) to prevent the
use of such emails on
the organization’s
network.
Page 147 of 296

CHAPTER – 9 Audit of Financial
Technology and Payment Applications
Audit Program for Financial Technology (Fintech) and Payment Applications

(Online Banking and Electronic Payment Apps)
Audit Objective
The objective of the exercise is to evaluate the effectiveness and efficiency of
controls in place to minimize the risk of confidentiality, integrity and availability of
e-banking and e-payment application systems.
Audit Scope
Page 148 of 296

This audit program is suitable for review of the following types of solutions:
Electronic banking and payment solutions, issuer or processor core applications
(such as Postilion FEP Real-time/Office, Postcard, TranswareCMS, FIMI, ITC), Card
Management Systems/Applications (Card issuing application), Payment gateway
solutions, Online/Internet Banking, Mobile money solutions, Prepaid Cards, Money
Transfer applications (e.g. Western Union, MoneyGram, Ria, Transfast, etc.),
SMS/USSD banking, Transaction alert services, Electronic Statement system, etc.
However, specific attention will be paid on the following areas:
· Policies, procedures and guidelines on electronic banking and payment

products and services.
· Vendor/third party services and service level agreements.
· Logical access controls.
· Application security.
· Database security.
· Operating system security.
· Compliance with relevant standards such as PCI-DSS, ISO27001, ISO22301.
· Separation of duties (dual controls).
· Payment card personalization, production and distribution.
· PIN generation and security.
· Front-end processor.
· ATM, POS and Web payment security.
· Physical security of payment infrastructures.
Background Knowledge required before the audit.

· Previous internal and external audit reports on the subject area.
· Department organogram and job descriptions
· Policies, procedures and guidelines for electronic banking and payments.
· Best practices guides and regulatory frameworks (PCI-DSS, ISO27001,
ISO22301, SANS)
· Risk Assessment of electronic payment applications and processes.
· Business impact analysis.
Page 149 of 296

Audit Checklist for Financial Technology (Fintech) and Payment Applications
(Online Banking and Electronic Payment Apps)
S/N Audit area Test Procedure Implications

1. Policies and Verify that Electronic Banking Lack of operating
Procedures. Technology Unit have operating procedural manual
manual that guides its process, systems could lead to non-
support and operations as it relates to uniformity and
Page 150 of 296
delivery of e-banking and e-payment alignment of processes,
services. Ensure that the manual has which may be
been communicated to staff members counterproductive
of the unit and is accessible to user
that need them.
Verify the existence of user manuals, Lack of self-support for
technical manuals, product papers, users.
data dictionary and procedural
manuals for all electronic banking and
payment applications acquired by the
organization.
Verify that the E-Banking Technology Inadequate monitoring
Support Unit maintain a Business Asset and protection of the
Master (BAM) of all its assets and its organization’s
being updated to reflect all information assets.
information assets in the custody of the
unit required ISO.
2. Review of Verify the existence of service level No contractual service

Service Level agreement (SLA) for all electronic agreement between
Agreement. products and applications acquired parties involved. Lack of
from external parties (vendors). clear service terms and
conditions between
both parties.
Verify that all service level agreements Lack of service level
between the organization and its agreement with clear
vendors clearly stated and defined liability clause and key
terms of service while performance performance indicators
and security clauses (e.g. right to audit limits the organization’s
clause, indemnity, penalties, ability to take actions in
performance clauses, non-disclosure the event of service or
agreement) that will protect the security breach.
organization against the actions or
inactions of vendors that might result in
service failures were stipulated.
Verify that escrow agreement or Lack of escrow clauses
clause was included in the service in the service level
level agreement (SLA) between the agreement could lead
organization and the software vendors to unavailability of
to ensure application source codes application source
are available or accessible to the codes with its attendant
Page 151 of 296
organization’s in the event that such effect on business
vendors go out of business. continuity in the event
that the vendor goes out
of business.
Verify that adequate documentations Lack of documentation
for electronic products acquired from that would impede on
vendors are in place. Such documents after sales support
are product/project initiation
document, request for proposals (RFP),
approvals, proof of user acceptance
test (UAT), product manual (user and
technical), etc.
3. Logical Access Review user access list of electronic Risk of unauthorized

control. banking and payment applications access.
being managed by E-Banking
Technology Support unit and ensure
that all access were duly authorized
and granted on need-to-do basis.
Request for samples of user access
authorization forms and ensure they
were duly authorized and properly
created.
Verify that there is adequate Lack of separation of
separation of duties in the duties control will not
management and administration of all ensure application and
electronic payment applications such database security.
that will promote application and
database security, accountability and
responsibility of user actions. In other
words, verify that the support team do
not perform functions such as user
management activities on applications
and databases that they support. User
management responsibility is the
prerogative of Systems Control
department as stipulated in the
Information Security Policy. This is to
ensure adequate segregation of
duties. Verify that the above control
applies to all applications and
Page 152 of 296
databases in scope of the audit
review.
Verify that generic or default accounts The use of generic
are not used by users to access accounts for user access
applications or database. Ensure that will not ensure
users access applications and accountability and non-
databases with their individual unique repudiation of users’
user ids and passwords for proper actions on the system
accountability and non-repudiation of and could encourage
access. password sharing
among users.
Verify that users were not assigned Lack of separation of
multiple accounts on the applications duties and
or databases that could give them the maker/checker controls
ability to perform multiple roles on will not ensure
applications or databases application and
concurrently. For example, a user database security as
performing the role of imputer and such, could lead to
authorizer/verifier at the same in an compromise with its
application. Ensure that there is attendant impact on
maker/checker control in the the organization.
application based on the criticality of
the application as highlighted in the
risk assessment report.
Verify that access rights of disengaged Risk of unauthorized
staff as well as staff members that are access.
currently on vacation are promptly
disabled from all electronic payment
applications and their corresponding
databases. Request for list of
disengaged staff and staff members
on vacation from Human Resources
Department and verify that their
accounts were suspended as required.
Verify that adequate control was Risk of unauthorized
implemented that will ensure strong access.
password parameters (upper & lower
case, alphanumeric, special
character, minimum length, ageing
and complexity), secret question and
answer, One Time Password and
Page 153 of 296
Token/Second factor authentication
on relevant electronic banking and
payment applications as required by
the organization’s information security
policy.
Ensure that there are strong edit and Risk of fraud and cyber-
input validation checks to prevent SQL attacks.
injection and buffer overflow on the
applications
Verify that the password policies Risk of brute force
implemented on electronic payment attack.
applications under review conform to
the organization’s password policy of
minimum length, aging, complexity
requirement (case sensitivity,
alphanumeric, & special character
composition), reuse, etc.
Confirm that every user access Risk of unauthorized
requests are documented with details access.
of the systems/services/
applications/information assets, to
which access is to be granted,
together with the level of access that is
granted.
Obtain list of ex-staff from Human Risk of unauthorized
Resources Department and confirm access.
that access rights of ex-staff have
been revoked upon separation from
the organization either through
resignation or termination of
employment. Also, verify that access
rights of third parties that were given
access during their engagement with
the organization have been revoked
upon completion of service
agreements or upon termination of
service.
Confirm that access rights are being Risk of unauthorized
reviewed quarterly by the responsible access not being
department as stipulated in the detected.
information security policy. Report on
Page 154 of 296
the outcome of the review should be
provided to the audit team and
evidence of management action
should also be in place.
4. Application Verify that the organization has Security flaws in these

Security. conducted penetration test and applications might not
vulnerability scan on all e-payment be detected.
applications and their databases to
ascertain extent of security and
controls built in them as required by
PCI-DSS framework.
Verify that there is adequate This is a breach of
separation of duties in the separation of duty
management and administration of all control required to
e-banking and payment applications ensure that developers
such that the application developers do not administer their
are not allowed to applications in the
management/administer their production system to
applications in the production prevent cover up of
environment. Ensure separation of flaws or malicious codes.
duties between the application Also, application
developers, application administrator administrators and
& support team, database developers should not
administrators and quality assurance be given super user
team. rights the application
database.
Ensure encryption on all financial Lack of confidentiality
application by verify the installation of and integrity of the
digital certificates on all web pages electronic payment
used to perform funds transfer, money solution due to absence
transfer, bill payment or other payment of end to end
activities. Also, ensure that the digital encryption.
certificate is valid and not expired and
were issued by a recognized
certificate authority (CA).
Verify that the organization’s internal IP Risk of disclosed of
addresses were not added/exposed internal IP address of the
on URLs of internet facing e-payment organization, which
applications that are access from the could be used for
cloud. Confirm that the organization attacks by hackers as
Page 155 of 296
and its vendors (processors) well as risk of
communicate or exchange services unauthorized access or
via secured VPN channels with proper hijacking of sessions or
tunneling. communications
between the
organization and its
third-party vendors or
processors.
Ensure that the ATM PIN portal (BSS Risk of compromise of
server) does display PINs in plain ATM PINs and its
numbers at the point of issuance. attendant effect of
fraud on the
organization.
Ensure that all e-payment applications Lack of accountability,
were connected/enrolled on the responsibility and non-
company’s file integrity monitoring repudiation because of
(FIM) solution like Tripwire for detection non-monitoring of
of changes in the application and changes in the
accountability. application files, folders
and scripts.
Verify the architecture of the Lack of adequate
company’s Online/internet Banking redundancy and load
application. Ensure that redundancy balancing in the
has been built into the architecture application architecture
due to high processing demand from could lead to service
online users. For example, the Online disruption when the
Banking application could be installed primary server
on four web facing servers and experienced downtime
connected/synchronized in a mesh as against when there is
topology for redundancy. This more than one server.
connection ensure that the four servers
mirrors themselves and are in synch in
real-time. Load balancers are installed
to intercept users’ requests and route
same to the servers in a manner that
efficiently balances the load to avoid
over burdening one server against the
other.
Ensure that critical e-payment services Risk of service disruption
are recoverable in the organization’s in the event that the
Disaster Recovery Site. Replica of the main processing site is
Page 156 of 296
production servers at the main inaccessible.
processing facility should be installed
at the DR site in the manner that the
DR servers (application and database)
mirrors the production servers in the
main site. Also, network connectivity
independent of the main processing
site should be available in the event
that the main site inaccessible or
services disrupted. This will ensure that
the organization can promptly restore
its services from the DR site with
minimal downtime.
5. Database Verify that default or generic accounts Lack of accountability

Security. do not exist in the database of e- and non-repudiation of
payment applications. Ensure that all user actions on the
database service accounts protected database.
and not used for login to the database
Verify that the E-Banking Technology Application
Support staff do not also have Administrators are super
administrative right on the users on application and
applications’ databases, which set parameters and
contravenes separation of duties business rules required
control. Ensure that dedicated for such application to
database administrators were function effectively while
appointed to administer application Database Administrators
databases. manage data and
access to the
applications’ databases.
Relinquishing these two
critical functions to an
individual is a security
risk and violates proper
segregation of duty
control.
Verify that MSSQL server that serve as Every hacker on the
database management internet knows that the
software(DBMS) for e-payment default port for SQL
applications are not configured to use server is 1433. Hence,
default port (i.e. 1433) and ensure that they could effortlessly
Page 157 of 296
other default settings peculiar with attack MSSQL Database
MSSQL have been changed. and compromise its
security when successful
intrusion into the network
has been achieved. On
the contrary, when SQL
is configured to listen to
any port other than
1433, a hacker would be
forced to spend more
time to discover the
port.
Verify that MSSQL Server 2000, 2005 Inability to enforce

and 2008 are not used as database separation of duties. This
management software (DBMS) for any implies that Domain
e-payment application due to a Controller Administrators
known flaw that allows the Domain of the organization can
Controller Administrators to be super equally function as
users on the database, and also, given Database Administrators
that they are already out of support (DBA) on the affected
with the application vendor. databases.
Ensure that production data are not The test environments
used directly as test data in the test are accessible to
environment without concealing the vendors and developers.
data. This is to ensure the Consequently, keeping
confidentiality of sensitive customer or sensitive data such as
cardholder information. cardholders’ information
on the test environment
without concealing
them is a breach of
confidentiality controls.
Verify that the following security Insertion of USB drives as
features were disabled: well as browsing on a
· USB port on servers running MSSQL server processing e-
was not disabled to prevent people payment or cardholder
from using flash drive. data is a security risk and
· Internet browsing and surfing as such, creating a
settings were not disabled. loophole that could be
exploited by hackers or
unauthorized persons to
Page 158 of 296
compromise SQL Server
Database.
Verify that the production database of Since security is not
all e-payment applications is logically always priority in test
separated from the test database and environments, mounting
not mounted on the same SQL server production and test
instance. databases on the same
SQL Server instance is a
security risk, which could
expose the live
database to
Ensure that the test and live database Physically and logically
servers are physically and logically separating both live and
separated and are access with test database servers is
different IP addresses. a good practice that
ensure security of the
live database.
Ensure that all e-payment application Lack of audit trail of
databases are connected on a database users and
database monitoring tool such as administrators’ activities.
Imperva to effective monitor all users
and administrators’ activities for audit
trail.
Ensure the Online Banking Database Risk unauthorized access
server was installed in a secured V-LAN to the database that
on the network and that V-LAN is could compromise the
restricted to only authorize confidentiality, integrity
users/support personnel while all and availability
requests from the application are requirement of the
channeled via a database service application.
account.
6. Operating Ensure that latest antivirus patches Risk of virus and malware
System were installed on all servers hosting e- attacks
Security. payment applications in the
organization. Ensure that the antivirus
applications are regularly updated.
Ensure that all e-payment severs Risk of vulnerabilities
receive regular patch updates from being exploited due to
the vendor to close vulnerabilities lack of prompt and
Page 159 of 296
whose patches are available from the routine patch updates.
vendor
Verify the version of Operating systems Risk of running on servers
of all e-payment application and already out of support
database servers (in the case of from the vendor with its
Windows environment) and ensure attendant effect on
that all servers are running on at least availability of support
Windows server 2012 and above. and security.
Immediate plan should be made to
update servers still running on Windows
server 2008.
Verify that users granted access either Risk of unauthorized
console or remote access to the access.
operating system of e-payment
application servers are authorized and
access was given based on the need-
to-do.
Ensure that operating system logs Lack of audit trail of
(application, system and security) of all users and administrators’
e-payment application and database activities on the servers.
servers are consolidated on Log
management and correlation tool
such as Arcsight.
7. Data Backup Ensure that there is documented Risk of data loss and
and Log backup and restore procedure for e- leakages.
Management. payment application data. Also, verify
that recovery point objective and
recovery time objective has been
established for all e-payment
application data.
Review that the backup procedures, Loss of data in the event
established frequencies and other of system crash or
documentations to determine the disaster affecting the
following; main processing site.
1) Adequacy backup frequency and
retention periods for external backup
data.
2) Adequacy of procedures relating to
in-house and off-site storage of
backup media/tapes and programs
Page 160 of 296
3) Ensure critical backups are stored in
a secure, off-site location.
Check to ensure that activities of Loss of audit trail of
operating system and application privileged user accounts
administrators are logged, adequately for investigation when
protected and backed up to prevent the need arises.
the users from access or deleting them
to cover up their malicious activities.
Verify that backup tapes of all e- Risk of confidentiality,
payment application data are integrity and availability
encrypted before they are sent to of the application data.
offsite facility as required by PCI-DSS
standards.
Verify that logs of user activities on e- Lack of audit trail.
payment applications and their
database (MSSQL) are backed up
external for audit trail purposes.
8. Change Verify that every systems changes or Risk of unauthorized
management. modifications following the approved changes in the
change management process (i.e. production system.
completion and authorization of the
change management request form)
and ensure that stakeholders’
authorization or approvals are
obtained as required.
Page 161 of 296

CHAPTER – 10 Audit of UNIX and LINUX
Operating Systems Infrastructure
Audit Program for UNIX Operating Systems Infrastructure (IBM AIX and SUN
Solaris)
Audit Objective
controls in place to minimize the risk of unauthorized access, disclosure of classified
information and system downtime/unavailability.
Page 162 of 296

Audit Scope
The audit program covers security and administration of UNIX operating systems
(IBM AIX server and SUN Solaris server), in addition of LINUX systems. Specific
attention will be paid to the following areas:
· Policies, procedures and guidelines for UNIX system administration.
· Logical access controls (user profiles and privileges).
· Separation of duties.
· Security parameter setup.
· Patch management.
· System support and change management.
· Log management.
· Backup and business continuity.

· Policies, procedures and guidelines for UNIX system administration.
· Best practices guides.
· Risk Assessment of UNIX environment.
· Business impact analysis for UNIX environment.
· Administration procedure for UNIX environment.
Audit Checklist for UNIX Operating System Infrastructures (IBM AIX and SUN Solaris)
S/N Audit area Test Procedure Risk Implications

1. Organization Obtain an organizational chart Inability to establish
and (organogram) of the group or responsibility and
Administration. department responsible for the accountability as well as
administration of UNIX operating ascertaining existence of
system (AIX/Solaris server). Ensure that separation of duties.
responsibility for the administration of
Page 163 of 296
the UNIX environment has been
assigned and there are clear
reporting lines to senior
management.
Obtain existing security and control Lack of security and
procedures if any. Ensure that the control procedures
procedures are updated and system administration
relevant to the administration and function could lead to
security of the UNIX systems. non-uniformity and non-
standardization of
processes or abuse,
which could compromise
system security.
Obtain inventory of all UNIX/LINUX Lack of system inventory
systems running in the environment, could lead to theft or
which include production and test abuse of information
systems. Ensure that the records are assets.
accurate and matches the assets on
ground.
Verify that the System Administration Poor record keeping,
team maintain a Business Asset which could impact on
Master (BAM) file that capture the system administration
owners and custodians of the UNIX activities, performance
servers, versions of AIX or Solaris OS and system security.
running on the servers, maintenance
and servicing records, support
vendors, policies, etc. Also, access
control matrix and change control
matrix for the servers should be
obtained and reviewed.
Note: Access control matrix shows a
list of users that have access to the
UNIX environment, the level of
access/privilege they have and the
level of authorization required to
elevate, downgrade, revoke or grant
access to users. Change control
matrix shows the level of authorization
require for certain changes to be
effected in the system. These
documentation is required to
Page 164 of 296
effectively and securely administer
the UNIX environment.
Obtain a description of the network Lack of restrictions on the
configuration as it relates to UNIX UNIX environment at the
systems/servers. Obtain the network network level could lead
layout diagram and identify the V- to major compromise
LANs that UNIX systems/servers were that could impact on
installed. Ensure that adequate confidentiality, integrity
restrictions were place on the V-LAN and availability of the
in line with business rules. Where the UNIX servers.
UNIX servers are hosting core business
operations such as core banking
application, enterprise resource
planning application, core treasury or
trading application, the server V-LANs
should be restricted to only
authorized users (such as the support
and admin team). IP restriction can
be used to restricted access to the V-
LANs.
Ensure that users that remotely Risk of data
access the UNIX servers do so using exchange/communicati
RSH tool to ensure secure and on via unsecured remote
encrypted communication between connection.
terminal and host system.
Obtain a listing of the various Inability to give the
applications hosted/supported by the required protection to
UNIX operating system. Obtain risk the servers based on
assessment results and business informed risk assessment
impact analysis for the applications results and business
hosted by the UNIX OS. This is to have impact analysis.
adequate knowledge/information on
the level of security and availability
requirement applicable for UNIX
servers.
Obtain approved job descriptions for Lack of communication
all the UNIX System Administrators and and sensitization of
ensure that they fully understand their users/system
roles and responsibilities. Confirm that administrators on their
each staff signed their job roles and responsibilities
descriptions as evidence of could lead to poor
Page 165 of 296
communication. service delivery and
abuse of system privilege.
Obtain the system administrators’ key Inability to effectively

performance indicators (KPIs) as measure the
defined in the staff appraisal performance of the
system/portal (if applicable) and system administration
ensure that they are in line with the team against set criteria
documented job descriptions. and job functions.
2. Installation Review any design criteria for system Lack of criteria for
Audit. security. Ensure that relevant designing system security
stakeholders reviewed and adopted could lead to system
the criteria. weakness or vulnerability,
which could be exploited
if not check.
Determine the standards for Risk of creating weak
password management and passwords in the system
construction. Ensure that password that are vulnerable to
policy has been documented, brute force attacks.
approved and implemented for
password quality in all UNIX
environment.
Review any existing security Risk of unauthorized
guidelines for users, groups, and access and system
functions and ensure that they are compromise.
adequate for effective system and
security administration.
3. Operating Obtain the UNIX Systems Lack of policies and

Policies and Administration manual. Review the procedure manuals for
Procedures. manual to ensure that it addresses all system administration
administrative and support related function could lead to
issues such as user access non-uniformity and non-
management, access control, standardization of
authentication, backup, patch processes or abuse,
management, monitoring, log which could compromise
management, change system security.
management, crone job
management and housing keeping,
performance turning, etc.
Confirm the existence of the following Lack of stated policies for
Page 166 of 296
policies in the organization, system system/security
administration policy, acceptable use administration function
of information asset policy, network could lead to non-
access and security policy, password uniformity and non-
policy, etc. standardization of
processes or abuse,
which could compromise
system security.
4. Systems Identify all the System Administrators Risk of unauthorized

Administration. by running the following command access.
on affected UNIX (AIX/Solaris) servers:
$grep :0: /etc/passwd

Determine that each UNIX system Risk of unauthorized
administrator requires this level of access.
authority (i.e. :0: is the root profile).
Identify all the users granted access Risk of unauthorized
to the system by running the following access that could lead to
command on affected UNIX abuse.
(AIX/Solaris) servers:
Cat: /etc/passwd
Ensure that each user have the

required level of access to carry out
its function. Also confirm that user
membership of a particular user
groups such as app group, DBA
group and others in adequate and
authorized.
Determine the change control Risk of unauthorized
procedures over changes to users, changes not being
programs, menus, scripts, hardware detected.
and system software. Ensure that the
change procedure is adequate and
in line with the organization change
management policy.
Determine that the groups were Risk of unauthorized
created in line with access and privilege
functions/privileges and ensure that creep.
Page 167 of 296
users are assigned group access
based on their functions, e.g., DBA,
APP, Developer, system/service
shutdown and restart, backup and
end-of-day processing.
Determine if the System Administrator Lack of succession
is supported by a backup staff or at a planning.
minimum their userid/password are
kept in a secured location in case of
an emergency.
Note: UNIX System Administrator is the
custodian of the root account while
the root account is the high
privileged account on UNIX OS
(AIX/Solaris).
Determine who is responsible for Lack of responsibility for
maintaining license and support the management of
agreements (such as IBM or SUN license and support
server licenses as well as those of the service agreements with
local vendor/partners). Confirm if all its attendant impact on
agreements are being met. service delivery and
system availability.
Ensure that there is a change control Risk of unauthorized
procedure, which is being followed. changes not being
For codes/scripts written by a detected.
Developer and to be implemented
on the production system, ensure that
the upload/application of the
modified scripts is done by the UNIX
administrator independent of the
operators, process owners and
change requestor.
Ensure that critical UNIX servers are Lack of monitoring of
enrolled on Tripwire file integrity changes to detect
monitoring solution to capture all unauthorized changes to
changes made to relevant UNIX files the system.
for audit trail. Ensure also that UNIX
servers have been enrolled on
Arcsight log management solution.
5. System Security. Ensure that during the initial Lack of integrity and
Page 168 of 296
installation, the System Administrator reliability of the UNIX
created audit check sum files. These environment due to non-
files will allow the Security configuration of audit
Administrator to verify that no check sum file.
changes have been made since the
installation of the system.
Field: comments.
Acl: contains both base and
extended access control list data for
the file.
Class: a logical group to
which this file belongs.
Pathname: Absolute
pathname.
Owner: Ether symbolic or
numeric ID.
Group: Either symbolic or
numeric ID.
mode: Symbolic
representation as displayed by the ls -
l command
size: Size of the file in
bytes. Major and minor numbers are
listed for devices.
Checksum: File contents
computed by a checksum algorithm.
This field reflects the slightest change
to a file, even a single character.
Determine if the system is running in a Risk of unauthorized

secured (trusted) mode by running access and compromise
the below command on affected of the UNIX environment
UNIX servers. as a result of the system
running on unsecured
/etc/security/passwd :For the mode.
password file
A trusted environment formats the
primary password file’s encrypted
password /etc/passwd to the
/etc/security/passwd file and
replaces the password field in the
Page 169 of 296

/etc/passwd with an ‘!’.
Ensure that only authorized entries are Risk of unauthorized
entered/present in the inittabs and access.
access to it is properly restricted. Run
the command below.
$cat /etc/inittabs
Ensure that the system backup (i.e. Inability of the UNIX
mksysb) is done on a regular basis system administrator to
and that the backup files are carry out mksysb backup
properly stored. Note: mksysb on applicable UNIX
backup when run, backs up the servers could lead to
entire UNIX server files. It is a holistic prolonged downtime due
UNIX OS backup and can be used to to mksysb backup to
restore the system as at the last restore the system to last
backed when needed in the event of known configuration.
server crash.
Ensure there is separation of duties Lack of adequate
between the UNIX system separation of duties that
administrators, application will ensure system
administrator and the database security.
administrator. The UNIX administrator
should not have access to
application service account on UNIX
used to manage the application as
well as the database service account
on UNIX. Any attempt by the UNIX
system administrator to either switch
to the application or database
service accounts without
authorization is a security breach.
Review all the rc. scripts to ensure Risk of poor configuration
that only valid programs are could undermine system
executed within these scripts. security.
Determine if auditing has been Lack of accountability,
enabled. Use the following file to look responsibility and non-
at defined audit events: repudiation of users and
administrators’ actions on
/etc/security/audit/events system due to
Determine if minimal set of auditable unavailability of system
events is being recorded. audit trail.
Auditing is enabled by entering
Page 170 of 296
/etc/audit start
Files used by Audit:
/etc/security/audit/config:
configuration information
/etc/security/audit/events: audit
events of the system
/etc/security/audit/bincmds:
backend commands
/etc/security/audit/streamcmds :
commands that process stream data
/etc/security/audit/objects:
information about audited objects.
Review the sulog to look for suspicious Breach of separation of
activity. Such suspicious activities are duties principles required
not limited to users that are not to ensure system and
system administrators switching to the account security.
root account, root user switching to
other users, users switching to
privileged group account such as
DBA group account or Application
service account (e.g. Oracle service
account, core application service
account, etc.).
Review the sulog and highlight Breach of policy on good
instances where the UNIX system security practice
administrator directly logged on with (acceptable use policy)
root account without first logging in as well as best practice
with his/her own individual account. require to ensure system
Best security practice requires that and account security.
the UNIX system administrator first logs
in with his/her own individual account
and then elevate his/her privilege to
admin by switching to root account
using either “su” or “sudo” command.
Ensure that the system administrator Breach of policy on good
do not login directly with the root security practice
account except for only console (acceptable use policy)
login using the pconsole account. To as well as best practice
elevate a user to inherit the root require to ensure system
privileges, “sudo” command should and account security.
be used for adequate security and as
Page 171 of 296
required by best practice.
6. Account Obtain a listing of all user accounts Risk of unauthorized

Security and verify that each user is still an access.
(Logical Access active member of staff in the system.
control). Execute the following command.
$cat /etc/passwd
Files associated with the user
accounts:
/etc/security/ids: uid sequence
number
etc/security/logins.cfg: contains rules
for password quality
/etc/passwd: user account file
/etc/security/passwd: encryption
passwords
/etc/security/failedlogin: contains an
entry for every time a login fails.
Obtain a listing of group accounts Risk of unauthorized
and verify that each user in each access.
group still needs to retain those
accesses. Look at the following
predefined group system, staff, bin,
adm, uucp, mail, security, cron,
printq, audit, ecs, nobody, usr.
Review the access control permission Risk of unauthorized
on the critical system directories and access critical directories
files. In addition, review the access and files.
control permissions on the
application’s directories and files.
Ensure that the user’s home Risk of unauthorized
directories and files can only be access or modification to
writable by the owner or root and no the users’ home directory
one else. files.
Ensure that the .profile, .cshrc, and Risk of unauthorized
.login files are writable by only the access or modification to
owner and no one else. the users’ home directory
files.
Investigate and remove if possible the Risk of unauthorized
use of any .rhost files within the user’s access or modification to
home directory the users’ home directory
Page 172 of 296
files.
Ensure that .netrc file is not used as it Risk of unauthorized
allows for the user to bypass the .login access.
authentication used for remote login
and even contains individuals’
unencrypted password. If it is used
and is required, it should not be read
or writable by anyone other than its
owner.
Ensure that root’s .profile has a proper Risk of unauthorized
PATH variable with no ‘dot’ as the first access.
entry.
A good PATH shows
PATH=/bin:/usr/bin:/etc
A bad PATH shows
PATH=.:/bin:/usr/bin:/etc.
7. Password Check to ensure that all user Risk of unauthorized

Security. accounts have a password. access.
Check to ensure that no user ID are Lack of accountability,
duplicated or a user is assigned responsibility and non-
multiple user id. Take a stock of staff repudiation of users
and compare with what is available actions on system due to
on the system user list. duplicated user ids and
assignment of multiple
user accounts.
Review all accounts with a UID of User access assurance.
‘:0:’. Accounts with this privilege are
UNIX System administrators.
Ensure that if all users listed in the Risk of unauthorized
/etc/passwd are valid users. Ensure access.
that exited staff members are
disabled/deleted from the system
Ensure that no major cron job Risk of system or service
required by the system or unavailability due to
applications running on UNIX inability to execute some
environment is created with an cron jobs required for
individual sign on. The cron job will system performance.
automatically stop working the
moment that individual user account
is disabled/deleted from the system.
Page 173 of 296
Where an individual have to do so,
the cron job should be granted group
level or public/everyone privilege
such that other members of that
given group in UNIX could still
access/run the cron job.
Determine if the password aging Risk of creating weak
criteria is adequate. Password aging password.
is enabled by placing the necessary
information in the password field.
Determine if the password length and Risk of creating weak
complexity requirement password that are
(alphanumeric and special vulnerable to brute force
characters) are adequate and in line attacks.
with the enterprise password policy.
Determine if all passwords are run Risk of creating weak
against a ‘hacker dictionary’ before password that are
being accepted initially or when vulnerable to dictionary
changed. This to prevent dictionary attacks.
attacks.
Ensure that accounts such as date, Risk of unauthorized
who, sync, tty. have been removed access.
from the /etc/passwd file: Other
entries to remain as pseudo users
such as: bin, daemon, adm, uucp, lp,
hpdb, guest, nobody and lpd.
8. Network Review the /etc/exports file to see Risk of unauthorized

Security. which files can be mounted by access.
another machine. The /etc/exports
file lists entries that consist of the path
name of a file system followed by a
series of names of servers and names
of groups of servers. To identify the
groups of servers list off the contents
of the /etc/netgroup file.
List the /etc/hosts.equiv file to verify Risk of unauthorized
the names of other servers that can access.
allow their users to sign on to this host
without providing a password. Verify
that each of these other hosts do not
Page 174 of 296
extend unauthorized privileges to
another user or node. Another file
associated with the trusted
environment is the .rhost files which
could allow someone to provide
another user access without a
password.
Verify the use of anonymous ftp in Risk of unauthorized and
addition the use of tftp. vulnerable access.
9. Batch Jobs and Review the crontabs file and ensure Poor system configuration
Log File that entries in the file, especially the leading to
Security. one owned by root are valid entries implementation of
and jobs running. vulnerable system.
Note: Scheduled jobs within the UNIX
environment are setup in a file called
the crontabs. This file has a one line
entry for each job to be executed at
a given time.
Determine if the at command is Risk of unauthorized
restricted by reviewing a file called access.
at.allow and at.deny. Other jobs can
run with the at command.
Check to see if accounting is turned Lack of accountability,
on. The accton turns on accounting. responsibility and non-
repudiation of users’
actions due to
unavailability of audit
trail.
Review the /usr/adm/messages for Risk of unauthorized
“BAD” login attempts. access not being
detected.
© Copyright. All rights reserved.
Page 175 of 296

Page 176 of 296
CHAPTER – 11 Audit of Core Banking
Applications (Finacle, Flexcube and Phoenix)

SECTION 9.0
Audit Program for Core Banking Applications (Finacle, Flexcube, Globus,

Banks, Equinos, Phoenix)
Audit Objective
controls in place to minimize the risk of unauthorized access, disclosure of classified
information and system downtime in the core banking application.
Page 177 of 296

Audit Scope
The audit program covers security and operational controls for core banking
application, parameter set up, transaction security, business rules set up, business
continuity management, change management among others. Specific attention
will be paid to the following areas:
· User access management and authentication.

· Separation of duties.
· Security features and parameter setup.
· Data encryption.
· Application security.
· Input and output controls
· Operational procedures and controls.
· Data backup and restoration.
· Business continuity management and disaster recovery
· Log management.

· Policies, procedures and guidelines for administration of banking
application.
· Best practices guides.
· Risk Assessment of the core banking application.
· Business impact analysis for the banking application.
Audit Checklist for Core Banking Applications

1. Organization Confirm that the core banking
and application was delivered with a
Administration. detailed user and technical manuals.
Obtain the manuals for review.
Page 178 of 296

Confirm that the core banking
application was delivered with a
detailed data dictionary for effective
management and administration of its
database. Obtain the data dictionary
for review.
Ensure that management has
documented an operations process and
procedure manual (OPPM) that covers
all the business processes and
procedures for its core financial services.
Ensure that operational requirement and
business rules has been defined and
documented for all business operations
and services being rendered by the
organization. Obtain copies of the
operational requirement and business
rules as defined.
2. Segregation of Verify that appropriate segregation of Compromise of

Duties. duties exists between access requestors, system security (CIA)
access authorizers and implementers due to lack of
(those setting granting access). separation of duties.
Verify that maker/checker Risk of avoidable
(initiator/authorizer) control feature has system compromise or
been implemented on the core banking committal of fraud
application to ensure that no single user encouraged by lack
will be able to initiate and complete a of separation of
transaction without second level duties.
authorization (supervisory control) or
involvement of another party. This should
apply for all financial transactions. Users
should be able to initiate and complete
transactions within their limits as will be
determined by Risk Management Group
(risk appetite of the bank).
Ensure that transaction processing limits

(based on transaction amount) guide is
in place, which should be determined
by Risk Management Group in line with
Page 179 of 296
the organization/bank’s risk appetite.
This is determined based on user
function, grade level in the organization,
experience and other considerations.
The limit guide should be implemented
on the system accordingly.
3. Application Identify the operating system hosting the

Security and Core Banking Application. Such
Controls. operating systems could be UNIX (IBM
AIX), UNIX (SUN Solaris), LINUX (Red Hat)
or Windows Server.
To ensure security, verify that the core
banking system is running a 3-tier
architecture, i.e. client application (user
interface, server side application
(backend processes) and database
(data store). Note that most standard
core banking applications like Finacle,
Flexcube, Banks, Globus (Terminos),
Equinos and Phoenix run on a 3-tier
system architecture.
Ensure that the client application (either
.exe file or web client), server
side/backend application and
database are physically and logically
separated. They should be installed on
separate servers with separate IP
addresses.
Ensure that test environment is
established for client application, server
side/backend application and
database. The test environment should
be physically and logically separated
from the production/live environment.
Identify the support teams for the core
banking application system. Ensure that
there is a separation of duties between
the Application Support team and the
database team. The Application support
team includes the script/code
Page 180 of 296
developers, technical support team and
service monitoring team. On no
account, should the support team and
the development team perform the
role/function of the database
administration team. This is to ensure
application security and prevent system
abuse and compromise.
Identify all the users and application
service accounts created on the core
banking application and database
server (either Windows or UNIX). Ensure
that they are authorized.
Identify all application service accounts
created on the system and the services
or operations they carry out on the
server. Identify the account that owns
the core banking application scripts and
codes. In the case of Finacle for
instance, FINADM is the owner of all
application scripts/code on production.
Verify those in the support team that the
password to this account. This is given
that it is the highest privileges users in the
application.
Ensure that such accounts as FINADM or
its equivalent on other core banking
applications are not used to log on to
the system. As a matter of fact, another
service account should be created and
assigned privileges that will enable it
start or kill application services or
processes when need. This is to avoid the
frequent use of the main application
owner account like FINADM for support
activities.
Identify the various financial modules
implemented on the core banking
application, which are being used by
the Operations and Business teams. Such
modules are not limited to cash
Page 181 of 296
transaction (normal payment and
normal receipt), check/cheque
transactions (inward and outward
clearing cheques/checks), funds
transfers, foreign currency exchange
transactions (FX deals, spot deals,
overnight placements, open by back,
etc.), international operations
transactions (Trade services, invisible
trade & Domiciliary account transfers),
Treasury transactions (money market –
Bonds, Treasury bills, OMO), securities
(commercial loans, derivatives, etc.),
electronic banking and payment
transactions (ATM, POS, Web payment,
bills payment, collections, payroll,
corporate payments and solutions, etc.),
Treasury operations and interbank
activities, Transaction Settlement,
Loan/credit administration and
disbursement, assets and liability
management (ALM), Market risk
management, account maintenance,
MICR/cheque printing, issuing and
processing, customer relationship
management (CRM), interest rates,
commissions, fees and charges.
Ensure that business and transaction
dynamics as agreed by
stakeholders/management have been
implemented. Obtain the operations
manual and interface with each
operations team as identified in the
functional areas highlighted above and
ensure that system configurations are in
line with business rules, operational
dynamics, financial institution’s policies
and regulatory requirement (AML, Basel,
IFRS, etc.).
Review the access control matrix of the
core banking application.
Page 182 of 296

Download/obtain user access list from
the core banking application (frontend
access) and its database (backend
access) and ensure that roles have been
defined in the application for various
functions. For example, Teller, Fund
transfer officer, relationship manager,
customer service officer, Head of
operations and processing, accountant,
Financial control, cash officer, loan
administration/disbursement, loan
processor, Internal Auditor, Internal
control officer, Foreign currency dealer,
Treasury FX dealer, Money market
dealer, Chief Dealer, Market risk
Managers, Regulatory Compliance &
AML, Inquiry, etc. Ensure that the Role
IDs, Workclass Group, and application
menus have been defined and set up in
a manner that ensures transaction
security.
Ensure that transaction processing
limits/threshold (in terms of amount)
have been set up for various functions
and users based on criteria such as
grade levels, responsibilities and positions
assigned to every user/function.
Transaction limit are a product by Risk
Management/Assessment as well as the
risk appetite of the institution.
Ensure that interest rates, fees,
commissions and charges are set up in
line with business rules and regulatory
requirement. This also applies to risk
assets/loan/borrowing/lending interest
rates. Obtain list of interest rates, fees
and charges as applicable to all
business services and transactions and
compare with parameters set up in the
system.
Ensure that exited staff members’ access
Page 183 of 296
on the core banking application are
disabled in the system while access
rights of staff on vacation and those
redeployed to other functions are
suspended or changed as required.
Review the Application programmable
interface (API) of the core banking
application and ensure that good and
secure coding practices/procedures are
adopted (e.g. SOAP). Ensure that all
external applications that have been
integrated with the core banking
application for processing of
transactions and retrieval of data are
accounted for.
Ensure that IP restriction has been
implemented on the API interface that
will only allow servers, which have been
granted access to the interface and
prevent unauthorized applications from
connecting to the interface.
Ensure that authentication and token
pass technology is used in the core
banking interface to prevent
unauthorized connection and parsing of
transactions. Ensure that all applications
parsing transaction on the interface are
properly authenticated and tokens are
validated before such transactions are
processed.
Review the standard messaging
practice/procedure used for transaction
processing and information exchange
(send, receipt and acknowledgement
messaging). For example, standard
SWIFT messages MT105, MT103, MT102,
ISO 8583 messages (for electronic
transactions) for information and
transaction exchange with
counterparties, financial institutions and
regulatory agencies/institutions.
Page 184 of 296
4. Change Ensure that a change control procedure

Management. have been established for the core
banking application. For example, a
change request form or portal can be
used to initiate, review and approve
changes on the core banking
application by relevant stakeholders.
Ensure that application script developers
do not have access to such accounts as
FINADM or its equivalent on other core
banking application. Developers should
not be given access to the live
environment or where necessary, a view-
only or read access should be granted.
Also, ensure that the developers do not
migrated approved and tested scripts to
the production system. This is to ensure
separation of duties and prevent abuse.
Ensure that all change requests are
approved and adequately tested by
relevant stakeholders before being
migrated to the production
environment. Robust test scripts should
be developed by the process or
application owner, which is used to carry
out the user acceptance test (UAT) to
verify functionality, business rules and
security as approved by the change
committee. All scenarios of test should
be considered and satisfactorily tested
before the scripts are migrated to
production.
Ensure that migration of approved scripts
is carried out by persons independent of
the change management process. For
independence and separation of duties,
the System Administration team
(whether UNIX or Windows
Administrators) should handle the script
migration/deployment to production.
Page 185 of 296
This is given that they are not part of the
development, implementation or
change management process.
Identify program libraries in the core
banking application that are
customizable or not customizable
according to application design. In the
case of Finacle core banking
application, CORE script library are not
modifiable while infeng code library are
modifiable or customizable (.src files).
Ensure that the core library codes are
adequately protected as tampering
with them could affect the entire
application library. Customization should
only be based on need or business
exigencies.
Request for the organization’s network Risk of unauthorized
diagram from Network Administration access as well as
department. Identify the location of compromise of the
core banking application and database servers in terms of their
server in the diagram and make location in the
judgment on security of the server based network.
on their physically and logical locations.
The network diagram must be printed
from the network surveillance software.
Verify that the core banking application Risk of unauthorized
servers are located within a local subnet access.
and is logically isolated from the entire
network to ensure its security. No other
server should be located within the
same subnet. A dedicated V-LAN should
be implemented.
Ensure that production data are not Risk of stealing
used as test data directly in the test customers’ data.
database without concealment. This is
given that security is not always
emphasized in the test environment and
third parties (vendors) sometime have
access to the test systems.
Verify that developers/programmers do Risk of unauthorized
Page 186 of 296
not have root password or any root modification of
privileges attached to their profile. production programs
and deletion of logs
to cover such
unauthorized activity.
5. Business Ensure there is effective and robust

Continuity business continuity management system
Management that covers the core functions and
and Disaster services within the organization. The core
Recovery. banking application should be in scope
for this. Also, verify that various
emergency response teams has been
appointed and assigned responsibilities
for business continuity management and
disaster recovery.
Ensure that risk and business impact
assessment have been conducted for
core banking application to the
determine risk appetite of the institution
and the allowable downtime period for
the application based on impact
analysis and assessment.
Ensure that a disaster recovery hot site
has been established for the core
banking and treasury applications.
Ensure that relevant system and network
facilities/equipment have been installed
to make the site read for use in the event
of disaster or disruption at the main
processing site.
Ensure that real-time data mirror or data
replication has been established
between the main processing site
(production server) and the DR site (DR
production server) to ensure minimal
downtime and readily available business
data to resume operations at the DR site
in the event of downtime or
inaccessibility of the main processing
site.
Page 187 of 296
Ensure that the business continuity plan is
frequently tested by management to
ensure its effectiveness and maturity. This
is to provide the assurance that the
business continuity plan with work as
expected in the event of disaster. Note:
An untested plan is not a plan that can
be relied upon.
Ensure that test covers recoverability of
the core banking applications and other
critical business services within the
organization/bank. The test should be
able to simulate the expected
downtime period and when the business
is put back to operations. As such, the
bank should be able to know how long it
will take for the business to return to
normal operations after experiencing
downtime or disaster.
6. Data Backup Ensure that recovery point objective

and (RPO) and recovery time objective (RTO)
Redundancy. have been established for the core
banking application. Determine the
backup frequency adopted for the core
banking application and ensure that it is
adequacy to prevent data loss.
Ensure that all business data including
those of the core banking application
and backed up in external media (tapes
or drives) and stored in an offsite facility
with adequate security.
Ensure that an enterprise backup
solution has been implemented in the
organization/bank, such as Symantec
Net Backup Solution. Also, ensure that an
enterprise storage system is in place,
such as NetApp storage system.
Ensure that there is procedure for
storage media (tapes and disks)
movement in and from the external
Page 188 of 296
storage facility. Ensure that the process
captures/documents activities of the
operators for audit trail. Ensure that the
tapes or disk drives are properly labeled
to prevent misuse.
Ensure that recoverability tests are
carried out on all tapes and disk drives
to ensure that their contents are
restorable when needed. Evidence of
recoverability test should be provided to
the Audit team as proof of test.
Mksysb backup of the UNIX operating
system files should be carried out
periodically and stored accordingly for
the restoration of the UNIX environment
in the event of system crash.
Ensure that End-of-day (EOD) processing
is carried out and all activities are
documented and escalated for
management action. Ensure that all
incidents experience during the EOD are
documented and escalated.
To ensure the integrity of the EOD
process. Relevant output files that were
produced in the processes should be
documented and stored as proof. EOD
team should ensure that all transactions
that occurred within the day are
processed and no pending transactions
are left unprocessed before closing the
books for the day and making the
system available for the next day
processing.
Ensure that the backup tapes are Risk of unauthorized
encrypted to prevent unauthorized access to the tapes
access if steal or loss will on transit or in and compromise due
safe keep. Default vendor encryption to use of weak and
key as in Net Backup Solution should not generic encryption
be used in encrypting the tapes to keys.
prevent compromise. The Storage
administrator should always generate a
Page 189 of 296
unique encryption keys to be used for
this process.
7. Security Verify that enterprise security Risk of non-uniformity

Administration administration processes for access and standardization
Process. management and control are defined, of operations and
documented and are being complied administration of
with. Request for IS Control procedural access control for
manual. enterprise systems
and solutions.
Verify that a well-defined security Risk of non-uniformity
administration procedure exists for and standardization
access management requiring of operation and
authorization for all users seeking to administration of
obtain access to servers, applications access control for
(core and non-core banking enterprise systems
applications) and/or third party and solutions.
applications.
Ensure that Manager/supervisor-level Risk of unauthorized or
authorization is required for access unapproved access.
approval, either by e-mail or hardcopy.
Verify the existence of standard forms Access
(paper or electronic) for requesting documentation and
application and database access and authorization to
obtaining necessary approval from prevent unauthorized
relevant authorities. access and privilege
escalation.
Verify that Security administration Risk of non-uniformity
procedures are centrally managed and and standardization
administered. User access management of operation and
may be decentralized for specific administration of
applications. However, the local access control for
administrators and users on such enterprise
platforms are subject to enterprise systems/solutions as
policies and procedures. well as specific
decentralized
systems.
Are security built around passwords Risk of password
issuance and control adequate? compromise and
creation of weak
passwords.
Page 190 of 296
Review the enterprise password policy Risk of generation and
implemented across all business systems usage of weak
for adequacy and password quality. password that are
Review the password parameter vulnerable to brute
implemented on the core banking force attack.
application and ensure that it conforms
to the organization/bank’s password
policy.
Ensure that the procedures adopted for Risk of unauthorized
password reset on the core banking access due to flawed
application and other business systems is procedure for
adequate and provide protection for password reset.
passwords used for system access.
Ensure that periodic review of user Risk of unauthorized
access on all critical applications (e.g. access or privilege
core-banking, treasury, e-banking, card escalation.
management system) are carried out to
prevent unauthorized or unwarranted
access to system resources. Also, ensure
that access of exited employees are
promptly disabled/deactivated from all
systems while redeployed employees’
accesses are suspended or retrieved
accordingly.
Verify that user activities across all Risk of unauthorized
applications are logged and maintained users’ activities not
as required and critical application logs promptly detected.
are promptly reviewed by IS Control
team and violations escalated for
management actions.
Verify those system violation attempts Incident
are prompted reported and management
investigated.
Are account routinely suspended and Risk of use of such
inactive accounts removed from the inactive accounts to
system after a specified period of commit fraud.
inactivity?
Is automated time out feature Risk of hijack of
implemented in critical business unattended/inactive
applications like core banking application sessions to
application? Ensure that inactive commit fraud.
Page 191 of 296
terminal sessions are deactivated.
Ensure that a formal process Risk of unauthorized
communicating stakeholders (HR, IS access or privilege
Control, System administrators, DBA, escalation.
Business process unit) of employee
disengagement and redeployment so
that access can be promptly
modified/revoked.
Request for the criteria used in Risk of implementing
determining the most suitable access weak access control
control or authentication mode to be and authentication
used in applications. Use control procedure without
objective/judgment where necessary. considering critically
and security of
resources being
protected.
Verify that no shared or generic system Risk of accountability,
accounts are used to access any responsibility and non-
application. Ensure that unique ids and repudiation of
password are assigned to individual for
access to applications while account
naming convention is consistent and
can easily identify individual owners of
the access.
8. User Access Authorized users’ access privileges are Authorized users gain
Management. defined and restricted by “group inappropriate or
profiles”, which provide a template of excessive privileges.
role-based rights for their designated job
function. The “group profiles” are
established by the business areas and
used by the security administrator.
Client-server access rights are defined in
user groups containing rights to specific
servers, applications, drives, and files.
Users are assigned to groups only where
there is a business need.
Is practice of copying an existing The system could
employee’s access rights to create a allow IS Control staff
new user’s access rights prohibited? while creating new
user record on the
Page 192 of 296
core banking
application to modify
existing user record.
This could let to
assigning excessive or
inappropriate
privileges to users.
Verify that application or database level Transaction level
security restricts user access to some control required to
critical menus of core banking minimize risk of
application (CBA) and/or from specific excessive control or
types of transactions. financial loss.
A. Defined authorities and limits built
into applications and tables.
B. Regular or periodic monitoring of
the appropriateness of authorities
and limits.
C. Monitoring of transaction activity.
Is direct access or updates to data, Deletion, update or
master files or CBA home directory from modification of
command lines or batch programs by application
“super” users prohibited or restricted. If programs/codes from
access must be allowed, access is low level utility
restricted to only authorized personnel programs.
and is monitored and supported by an
adequate audit trail.
A. Access restricted based on
business need.
B. Programming personnel do not
have update access to
production data.
C. Access for IT or key user personnel
is monitored.
9. System Verify that activities of users and System abuse and

Monitoring and administrators core banking application security breaches on
Audit Trail. (CBA) are adequately monitoring and applications go
logs of users’ and administrators’ undetected or
activities on critical applications are escalated for prompt
reviewed and maintained while violation actions.
promptly escalated.
Page 193 of 296
Verify that effective monitoring tool System abuse and
have been implemented for monitoring security breaches in
of database activities of enterprise the database of
systems and applications. Imperva tool critical applications
could be implemented to monitor users go undetected or
and administrators’ activities on the escalated for prompt
database as well as consolidation of actions.
database logs.
Ensure that appropriate file integrity Risk of unauthorized
monitoring tool (e.g. Tripwire) is changes not promptly
implemented to monitor changes to been detected.
application scripts, operation system files
and other changes that could adversely
impact system performance and service
delivery.
Ensure that core banking application Risk of accountability,

and database servers are connected to responsibility and non-
the enterprise log management and repudiation of users
correlation tool (e.g. Arcsight) to and administrators
consolidate all server, applications and activities in the
database logs for safe keeping and system.
audit trail. Such logs if in Arcsight will be
out of reach of the administrators who
could delete them to cover their
unauthorized activities.
Page 194 of 296

Page 195 of 296
CHAPTER – 12 Audit of Payment Card
(Debit, Credit & Prepaid) Processes, Systems and Applications –

PCIDSS Compliance
Audit Program for Payment Card (Debit, Credit & Prepaid) Processes, Systems and
Applications – PCIDSS Compliance
Introduction
Despite investment made by businesses that process, store, transmit and access
cardholder information in the area of security, data breaches have continued to
occur in a disturbing scale leading to loss of funds by cardholders, financial
institutions and insurance companies. Players in the payment cards ecosystem
such as the card brands (American Express®, Discover®, JCB, MasterCard®,
VISA®, Union Pay® and Verve®), card issuers, terminal owners/acquirers,
processors and payment switches have suffered losses and reputational damages
due to inadequate security controls, process flaws as well as poor monitoring and
oversight by those who are saddled with the responsibility to do so. Where
vulnerabilities are left unaddressed, chances are that fraudsters and attackers
could exploit them to their advantage.
Page 196 of 296

As the cyber security space evolves, fraudsters and attackers have continued to
change their techniques of committing cybercrimes to maintain an edge. Credit,
debit and prepaid card data have been stolen from unsuspecting cardholders
through various scheming and fraudulent means. Personal Identification Number
(PIN) information associated with credit and debit cards that serve as the last point
of defense for chip cards has been stolen and used to commit fraud. Concerned
business have failed to comply with relevant information security and control
standards such as Payment Card Industry Data Security Standard (PCI DSS),
Payment Applications Data Security Standard (PADSS), ISO 27001 and ISO 22301 as
best practice.
The objective of this practical guide is to offer the reader a step by step guide on
how to carry out the audit/review of the payment cards processes, systems and
applications to provide that needed assurance to stakeholders (management,
investors and regulators) on the adequacy and effectiveness of controls in the
payment cards processes and systems. Businesses that process, store, transmit and
access cardholder information as a matter of corporate governance and
regulation perform audit of the payment cards processes, systems and
applications in a defined cycle. However, the personnel (Information Systems
Auditors, Information Security Practitioners, IT Risk Managers, Card Product
Managers, CIO, CISO, CTO) carrying this audit burden have sometimes fallen short
in their responsibilities with its attendant impact on the confidentiality, integrity and
availability of cardholder information.
This section will close this gap by showing the reader how to carry out the audit
testing as well as control failures/vulnerabilities to look out for in the area of
payment card policies, processes, applications, databases, change
management, redundancy and data backup, vendor management and third
party services, encryption key management, terminal security, network security,
vulnerability management, operating systems security, credit card portfolio
management, card operations (priming, production, stocking & distribution),
instant card issuance, reissuance among others. The primary audience is
operational stakeholders (IT security managers, IT risk managers, IT managers,
business managers and IT auditors) who are responsible for developing,
implementing, operating, managing or reviewing the controls, technology and
processes that are required to secure the system and comply with relevant industry
standards (PCIDSS, PADSS, ISO 27001).
Page 197 of 296

Audit Scope
1. Organization and administration

2. Application security
3. Database security
4. Redundancy and data backup
5. Change management
6. Vendor management
7. Credit card portfolio management
8. Encryption key management
9. Network security
10. Vulnerability assessment
11. Operating system security
12. Cards Operations and Production (Debit and Credit).
Audit Objective
The objective of the audit is to evaluate the adequacy and effectiveness of
controls in place to minimize the risk of unauthorized access to cardholders’ data
and compromise as well as disruption of e-channel services.
Audit Checklist for Payment Cards (Debit, Credit & Prepaid) Processes, Systems
and Applications – PCIDSS Compliance
1. Organization Lack of Department Obtain the Department’s

and organogram, organogram and job
separation of
Administration. Job descriptions, descriptions.
duties,
ambiguity in procedure
business rules manuals and
and in product
consistency in documents.
processes and
procedures.
Page 198 of 296
Confirm that each staff
has approved
documented job
descriptions.
Interview all the staff in
the unit and ascertain
the processes and
procedures required for
the performance of their
job functions.
Ascertain the risks
associated with the
procedure and processes
and confirm the
adequacy of controls
(system and manual) to
minimize the risk
associated with the
processes.
Identify the various card
(product) types and
ascertain the features of
each type. E.g. Gold,
Platinum, Silver, etc.
Ascertain the criteria for
card issuance and
customer’s
requirements.
card personalization,
storage and distribution.
Confirm the adequacy of
controls or otherwise in
the process.
Observe the processes
and procedures
involved in issuing instant
debit cards and
ascertain if they
Page 199 of 296
conform to the
company's
documented
procedures on instant
card issuance.
Review the PIN
generation and
distribution process.
Ascertain the transaction
dynamics and controls
(system/manual)
implemented in line with
the transaction
dynamics.
2. Application Unauthorized Documented Obtain the list of

Security. access to system access applications used for
business registration and card management,
information. de-registration transaction processing
procedure. and switching.
Ascertain the custodian
of each application and
the data owner.
user registration and de-
registration procedure for
granting and removal
access to and from the
applications
accordingly.
Obtain the application
user list and confirmed
that accesses were
granted and revoked in
line with the registration
and de-registration
procedure.
Verify that user IDs are
Page 200 of 296

unique and that default
user IDs/generic users are
not allowed except
where necessary.
Review the available
privileges on the
applications and
ascertain that the access
granted to each user is
line with his/her job
function.
Breach of Implementation Confirm that the business
regulatory of the business logic (product features)
requirements rules via the and transaction
and violation of application. dynamics are
transaction rules. implemented in the
applications.
Ascertain the adequacy
of application validation
and edit checks.
Ascertain the ease of use
of the application.
Ascertain the adequacy
of application output
report required by users
for their job functions.
Strong password Confirm that the user’s

Password complexity and passwords are in line with
guessing/theft. token. company’s password
policy.
Confirm if token is
required in addition to
user’s passwords.
Inadequate Implement Confirm that the

audit trail of user application audit application has audit trail
activities on the trail. capabilities to capture
system. users’ actions on the
Page 201 of 296

system.
Confirm that the audit
trail is enabled and the
logs of user activities are
maintained for
investigation purposes
when the need arise.
Review the audit trail
and confirm that useful
details like user-id, time
stamp, IP address and
action performed are
captured.
trail also captures the
action of the system
administrators.
Verify that users are not
assigned multiple
accounts on applications
that could give them the
ability to perform multiple
roles on applications
concurrently.
Verify that the audit logs
are kept outside the
control of the
Administrators.
3. Database Unauthorized Procedure for Identify the database

Security. access to gaining access management system
business to the database. (DBMS) used for card
information. management and
processing applications.
That is, Oracle, Microsoft
SQL server, Sybase, My
SQL, etc.
Ascertain the custodian
for each database.
Page 202 of 296
user registration and de-
registration procedure for
granting and removal
access from the
databases. Obtain the
database user list and
confirm that user access
was in line with the
registration and de-
registration procedure.
Verify that user IDs are
unique and that default
user IDs/generic users are
not allowed.
Ascertain that access
privileges granted to
users on the databases
are based on their job
function.
Strong password Confirm that the users'

Password complexity and passwords are in line with
guessing/theft token. the company's password
policy.
Confirm that the
Database audit database have audit trail
trail capabilities to capture
users’ actions on the
database.
trail is enabled and the
logs of user activities are
maintained for future use.
Review the audit trail
and confirm that useful
details like user-id, time
stamp, IP address and
Page 203 of 296

action performed are
captured.
trail also captures the
action of the system
administrators.
Verify that users are
assigned unique user-ids
and default user-ids are
disabled.
Verify that the audit logs
are kept outside the
control of the
Administrators.
4. Redundancy Service Data backups Verify that there is

and Data disruptions. and redundancy established procedure for
Backup. for the data backup in terms of
processing frequency and storage.
infrastructure.
Verify that prompt and
regularly data backup of
all card databases and
applications in line with
the procedure.
Ascertain that the
backups are stored
externally outside the
processing system at a
remote offsite.
Verify that adequate
redundancy for all cards
systems exist.
Confirm that for each
critical role, there is a
backup personnel.
5. Change Unauthorized Ensure that Check to ascertain that

Management. change to card changes to card the card applications
Page 204 of 296
applications and applications and and databases are
database which databases are monitored using file
could lead to duly approved integrity and database
compromise by appropriate monitoring tools like
and authority in line Tripwire (FIM) and
unavailability of with the Imperva (DAM).
critical system organization's
e.g., the FEP. policy
Determine the number of
changes effected on
card applications and
databases within the
review period.
Ascertain that the
changes are duly
approved.
changes to the system
are properly tested in test
environment (UATs),
signed off by users before
migration to
production.
Check to ensure that test
and production
environment are
separated.
6. Vendor Risk of Ensure that Ascertain the number of
Management. confidentiality, contractual vendors providing third
integrity and and service party support to the card
availability level team and confirm if they
associated with agreements are are pre-qualified.
services established
rendered by between the
third party organization
service and the service
providers. providers with
relevant
security clauses
Page 205 of 296
to protect the
organization.
Confirm that the
company has a valid SLA
with the identified
vendors for all Cards
products and
applications acquired
from external parties
(vendors). Example, Visa
Int'l, MasterCard Int'l,
Discovery, EMP, etc.
Confirm that the SLAs are
periodically reviewed
and properly signed off
by appropriate authority
in the company.
Contract provision
including
acknowledgement by
the third party of their
responsibility for securing
cardholder data.
Contract provision
including ownership and
acceptable uses of
cardholder data.
Appropriate business
continuity provided by
the third party such that
their services will be
available in the event of
a major disruption or
failure.
Right to audit clause in
which the company or
any of its appointed
representatives will be
Page 206 of 296

able to perform routine or
ad hoc audit as required.
Contract provision
requiring continued
security of cardholder
data during and after
contract terminations.
Contract provision for
liability and performance
clauses.
7. Credit Card Loss of funds due Ensure that Obtain customers' credit
Portfolio to inability of customers' credit card portfolio report.
Management. customers/subsc cards loans are
ribers to repay fully liquidated
their loans. upon
termination of
the credit card
platform.
Ascertain the number of
customers who have
defaulted on their credit
card and the debit
balances involved.
Confirm the credit cards
that are performing.
Confirm that the
requirement for issuance
of credit cards to
customers is being
followed.
Collate list of customers
that were issued credit
card and amount due on
the card that are yet to
be repaid.
Loss of funds To ensure that Obtain portfolio of credit
Page 207 of 296

because of account is card
bad loan funded as at
when due
Ascertain the number of
customers (staff inclusive)
with PDOs
Collate the total amount
of PDOs on credit card and
confirm recovery effort.
8. Encryption Key Risk of Adequately Determine when last the

Management. compromise of protect the Local Master Key (LMK)
the Hardware encryption keys was changed in the HSM.
Security Module used to cipher Also, ascertain how
(HSM) as well as and decipher regular the LMK is being
other electronic card data and changed.
payment card processing
devices (ATM & systems.
POS) because
of poor
handling of the
Local Master
key (LMK) and
other key
components.
Determine who are the

current custodians of the
LMK key components (i.e.
Smartcard1, Smartcard2
and Smartcard3)
Also, determine who are
the authorizing officers for
LMK and ascertain that
they are in custody of
their smartcards.
Verify whether at any
time the key component
Page 208 of 296

custodians or authorizing
officers who have
disengaged from
company or redeployed
to other units and ensure
that new LMK key
components and
authorization credentials
were generated to
replace existing ones.
Ensure that no one person
ever have control of
more than one
component of a key
(LMK) or the authorizing
officers’ credentials.
Ensure that backup
copies of smart cards are
held securely (in a safe)
on a site different from
where the Payshield 9000
(HSM) is warehoused.
Confirm that audit and
error log files of the
Payshield 9000 are
regularly reviewed to
detect any security
breaches.
Ensure that the company
has a secured printing
machine and that all
security key, PINs and
passwords are printed on
tamper proof paper for
easy detection when
tampered with.
Ensure that e-mail is not
used to convey or send
Page 209 of 296

secret or private keys or
their components on the
network.
Ensure that user primary
LMK key components are
not stored in the same
location rather, are stored
under the custody of
each of the key
custodians. Ensure those
tamper proof serialized
envelopes are used to
store the keys.
Ensure that the company
has a cross-cut shredder
used for destroying ATM
key components after
loading.
Ensure that key
custodians sign a form
specifying that they
understand and accept
their key custodianship
responsibilities.
Ensure that a test HSM
Payshield 9000 has been
established for the
payment system’s test
environment, which
should connect with the
test Frontend Processor
(FEP) and other
cardholder storing and
processing systems.
Ensure that the test LMK
key components are not
used on the production
environment while
Page 210 of 296

production LMK key
components are not
used on the test
environment to prevent
total compromise of the
system.
Verify the PIN Block
format being used
between all ATMs and the
FEP (Postilion or
Transware) host system.
Ensure that it is PIN block
format ISO/ANSI format 0
and not IBM 3624, which
is weak.
Ensure that separate
courier companies are
used when transporting
different components of
the ATM Terminal Master
Key (TMK) and the switch
ZMK and ZPK for security
of the key and to avoid
compromise.
Establish a Ensure that there is a

procedure for procedure manual for
encryption key encryption key
management. management and
administration in the
company, which
highlights procedure for
key generation (i.e. key
ceremonies for LMK,
TMKs and ZMKs), key
ceremony/commissionin
g, key component
distribution and storage,
Page 211 of 296

etc.
Ensure that a key
generation and
replacement
diary/register is
maintained to keep
record of all key
management activities
completed and
planned, which includes
activities during key
generation ceremony,
HSM process
authorization, etc.
generating ATM Terminal
Master Key (TMK) and
ensure that procedures
necessary for the security
of the keys are applied.
Ensure that the key
components are not
generated by one person
and that the process of
transporting/transferring
the keys to the ATM site is
secured and full proof.
Request for the
company’s key
transfer/conveyance
procedure for ATM keys.
9. Network Compromise of Implement Verify the physical and

security. cardholders’ adequate logical location of card
data during network security data processing systems
transmission controls. FEP (POST Card, Postilion,
because of Post Office, and
Page 212 of 296

poor network Transware) on the
security network. Also, verify if they
controls. are on a dedicated V-
LAN and confirm if the V-
LAN is shared with other
non-card processing
systems.
Ensure that all resource
sharing protocols are
disabled on all card
processing systems FEP
(POST Card, Postilion, Post
Office).
Verify users and
administrators given
access to the FEP V-LAN
and confirm that they
were authorized and
have need to have the
access. Also, ensure
unauthorized users are
not allowed access to
the V-LAN.
Verify that an internal
network segment was
established within the
DMZ area for card
processing servers and
facilities. Obtain the
company’s network
diagram. Examine firewall
and router configurations
to verify that inbound
and outbound traffic is
limited to Web protocols
http, https (Port 80), SSL
(Port 443), VPN and SSH.
Identify publicly
Page 213 of 296

accessible servers in the
company’s network,
which has
connection/interaction
with systems storing
cardholder data. Ensure
that inbound internet
traffic is limited to IP
addresses within the
DMZ (ingress filters).
Ensure that inbound and
outbound internet traffic
is limited to ports 80 and
443. Similarly, determine
that internal addresses
cannot pass from the
internet into the DMZ.
Ensure that no database
server is place within the
DMZ including the ones
storing cardholder data.
Ensure that all
databases are on the
internal network
(intranet), segregated
from the DMZ.
Determine that outbound

traffic is limited to that
which is necessary and
documented for the
cardholder environment.
Determine whether any
wireless network(s)
directly connect to
systems that store
cardholder data (FEP,
Post Card, Post Office,
and Postilion). If there is
Page 214 of 296
any, ensure that a firewall
is installed between such
wireless networks and
systems storing
cardholder data to deny
or control traffic from the
wireless network
environment.
Examine firewall
configurations and
determine that internal
outbound traffic from
cardholder applications
can only access IP
addresses within the DMZ.
Request for configuration
standard for all systems
storing and processing
cardholder data and
ensure that standard
configuration are being
followed.
10. Vulnerability Risk of Implement Ensure that all card

Assessment. confidentiality, adequate processing systems are
integrity and controls to regularly updated with
availability of mitigate all latest patches from the
cardholder data possible system Original Equipment
as a result of vulnerabilities. Manufacturer (OEM).
inherent system
vulnerabilities.
Ensure that all changes
(including patches) are
tested before being
deployed to production
systems.
Ensure that code reviews
are required and must be
Page 215 of 296

performed by individuals
other than the originating
author of the code.
Confirm that code reviews
are carried out for new
codes as well as after
code changes.
Ensure that change
control procedure for
system and software are
followed including
implementation of
security patches and
software modification.
Ensure that internal and
external penetration
testing and vulnerability
scan are performed on
all cardholder storing
and processing systems
and the network
periodically to ascertain
their security. Such
vulnerabilities to be
tested include are:
unvalidated inputs,
malicious use of user IDs,
malicious use of
account credentials
and session cookies,
cross-site scripting, buffer
overflow due to
unvalidated inputs and
other causes, SQL
injection flaws, Error
handling flaws, insecure
storage, Denial of
service, insecure
Page 216 of 296

configuration
management.
Verify that Tripwire is
deployed to capture logs
of all cardholder
processing and storing
systems for audit trail.
11. Operating Risk of Implement Determine the versions

System confidentiality, adequate of Operating System
Security. integrity and controls to (OS) being used for FEP,
availability of mitigate all Postilion, Post Office and
cardholder possible Post Card servers. Ensure
data because operating that it is not lower than
of operating systems security Windows server 2008.
system security flaws.
flaws.
Determine whether the
OS of card systems (FEP,
Postilion, Post Office and
Post Card) are being
patched with the latest
Windows patches and
updates to prevent them
from being vulnerable to
attacks.
Ensure that card
application servers (FEP,
Postilion, Post Office and
Post Card) are installed
with anti-virus and anti-
spyware applications and
that the applications have
latest updates of DAT
signature files.
Ascertain the users that
were given access to
the operating systems of
Page 217 of 296

all card application
servers (FEP, Postilion,
Post Office and Post
Card) and ensure that
they are authorized
users and administrators
who have need to use
the access.
Identify service and
generic accounts on the
operating system of card
app servers (FEP, Postilion,
Card) and ensure that
they are authorized and
there is need for their
continued use and
retention.
Ensure that operating
system logs (security and
system logs) of card
systems (FEP, Postilion,
Card) are being
captured and
consolidated on Log
management and
correlation tool (Arcsight)
to ensure adequate
retention.
12. Cards Risk to the Implement Identify staff members of

Operations confidentiality, adequate Card Business and Card
and Production integrity and controls to operations units. Request
(Debit and availability of ensure for the various job
Credit). cardholder separation of descriptions as well as
data arising duties, interview each staff were
from security authorization, necessary to ascertain
Page 218 of 296

lapses in card accountability their daily duties.
production and non-
process. repudiation in
the card
production and
priming process.
Request for the
organogram of Card
Business and Card
Operations units to
ascertain various roles in
each department.
Review the Instant PIN
POS system as well as
instant card issuance to
ascertain its
architecture, mode of
operation and
underlining
system/technology used
for its implementation.
Request and review the
project implementation
documents and ensure
that the company's
system implementation
and change
management
procedures were
followed and necessary
approvals were obtained
for changes made to
systems and the
network .
Request and understand
the workflow for ATM
and debit Card
production and
Page 219 of 296

processing using Card
Management Portal and
ensure that each step in
the
production/processing is
in line with PCI-DSS
requirements for
cardholder data
protection at all levels.
Ensure that operators do
not have unauthorized
or undue access to
cardholder d a t a .
Ensure that there is
adequate separation of
duties between the
Operators who process
card requests and PIN
generation for all card
brands (local/bank
card, MasterCard, VISA,
Dinner Card, JCB, etc.).
Review FIMI and Postilion
application databases,
which are transaction
databases for VISA and
MasterCard platforms
and ensure that
transaction data and
cardholder information
are stored in line with
PCI-DSS.
Review ITC and Post
Card/Post Office
databases, which are
card management
systems databases for
VISA and MasterCard
Page 220 of 296

platforms and ensure that
cardholder data are
stored and retrieved in
line with PCI-DSS
requirements.
Download card data
(including PAN, account
number, account name,
date of creation) from
Post Card database and
Card
Management/request
portal database and
relate the outcomes to
determine incidences of
card linked to wrong
accounts for period
under r e v i e w .
Review the various Card
Programs set up on the
FEP for MasterCard VISA
local currency, VISA Dual
currency, VISA Gold, VISA
USD, VISA Credit, etc.,
and ensure that their
setup is in line with
business rules. Business
rules include card
features such as daily
transaction limits on cards
for POS, ATM and Web,
number of transactions
per day, maximum
withdrawal per
transaction, etc.
Review the currency
setup on each of the
card programs and
Page 221 of 296

ensure that the right
currencies are correctly
mapped to each card
program as well as
appropriate internal
accounts.
Review the card setup for
transactions in non-EMV
countries (e.g. USA) and
ensure that setup is in line
with regulatory guidelines
for such category of
transactions.
Review the One-Time
Password (OTP) system of
the company as issuer
and ensure that all cards
produced are
mandatorily enrolled on
the system for OTP. Also,
review the rules set up by
the company on the OTP
platform and ensure that
it is in line with the
company’s risk appetite
as well as industry
standard.
Page 222 of 296

Page 223 of 296
CHAPTER – 13 Audit of
Employee/Human Resource Information Systems and Processes
Audit Program for Employee/Human Resources Information System
Audit Objectives
The objective of this audit exercise is to evaluate the adequacy and effectiveness
controls in place to minimize the risks of unauthorized access to employee
information, disclosure of classified personnel information, systems downtime and
accuracy and integrity of the employee and payroll data.
Audit Scope
The audit shall cover all human resources systems such as, HR software (for
personnel information and payroll data). Specific attention will be paid to the
following areas:
· Logical access controls (User profiles and Privileges).
· User registration and de-registration.
· Security parameter setup.
· Staff data confidentiality and integrity.
Page 224 of 296
· Operational procedures.
· Application logs.
· Data backup and retention.
· Payroll data integrity.
· Information classification.
Background Knowledge Gathering

· Previous audit reports.
· HR Policies and procedures.
· IT Security policy.
· Technical manuals.
· Data dictionary.
· Organogram.
· Risk Assessment.
Audit Checklist for Employee/Human Resources Information Systems and

Processes
S/N Audit area Test Procedures Implication

Onboarding and Exit Process
Obtain the list of staff that resumed in
the organization within the period
under review and confirm that they
participated in the compulsory
induction programme where
information security awareness session
is expected to be conducted for them.
This can be either during the
resumption/onboarding (for
experienced hires) or in training school
Induction induction programme (for graduate
1. Process hires)
Page 225 of 296
Request and review the content of the
information security awareness
lecture/training presentation/slides to
ensure that they are adequate and
addresses information security
requirements, responsibility,
accountability and acceptable use of
information assets as it affects
members of staff in question.
Confirm that new hires (both graduate
& experienced) are made to sign a
non-disclosure agreement (NDA) or
information security responsibility
agreement at the point of
onboarding/resumption to
communication individual staff
responsibilities for information security
and non-disclosure of the
organization’s classified information.
The employees shall be held
accountable for their actions and
inactions during the period of their
employment in the event of breach of
the agreement. Note that the NDA
could be included as part of the
Offer/Employment letter, which the
staff signs upon accepting the offer or
as a separate document.
Obtain the list of new staff members

that resumed in the organization within
the review period and confirm that
compulsory background screening
Employee
were conducted and outcome of the
Screening
checks properly documented and
and
factored into the recruitment decision
Background
making and confirmation process.
2 Checks
Page 226 of 296

Obtain the names of Outsourced
vendor(s) currently enlisted to carried
out the background screening on
behalf of the organization and confirm
that they have the capacity and
independence to conduct the
exercise. Confirm the criteria used in
engaging the vendors.
Obtain list of staff members that exited

from the organization within the period
under review. Confirm that they (all
categories of staff) complied with the
exit process as specified in the Human
Exit Resource Handbook/policy, which
Management include conduct of exit interview and
3 Process exit clearance.
Confirm that all access rights granted
to ex-staff members during their
employment period (e.g. email,
network access, physical access,
service management access, etc.)
have been remove/revoked including
those currently on vacation/leave of
absence as well as reassignments.
Confirm that the Human Resources
department maintain list of computer
assets (e.g. Laptops, phones, tablets,
etc.) assigned to every member of
staff members as applicable based on
their job functions. Confirm that a
process is in place that ensure that ex-
staff members return all organization’s
information/computer assets in their
possession upon exit.
Page 227 of 296

Verify that access rights of staff
members on vacation, leave of
absence or re-assignments are
disabled from relevant applications
and systems during the period of their
leave of absence to prevent the risk of
Risk Controls Procedure

HUMAN RESOURCES ORGANIZATION AND ADMINISTRATION
1. Lack of due Perform employment Verify that background checks are
diligence in the due diligence and conducted on new employees as
recruitment background checks. part of the requirements for their
process, which documentation in compliance with
could lead to ISO 27001 Clause A.7.1.1
employing staff
with criminal
records or
questionable
Page 228 of 296
integrity.
Request & review staff
offer/employment letter template
(draft) and ensure that employee and
organization’s responsibilities for
information security are part of the
contractual agreement signed.
Verify that appropriate staff security
awareness education and training are
being conducted and regular
updates in organizational policies and
procedure are carried out as
expected.
Verify that there is a communicated
disciplinary process in place to take
action against employees who have
committed an information security
breach.
2. Lack of due Ensure that there is a Verify that there is a formal procedure
diligence in formal of employee disengagement in the
employee disengagement organization.
disengagement/ process & procedure
separation in place.
process.
Verify that the established process of
disengagement captured the
necessary steps staff should take to
fully separate from the organization’s
employment.
Verify that disengaged staff comply
with the established disengagement
procedure and clearances.
Verify that there is a mechanism or
procedure in place to inform HR of
any purchase or acquisition of
computer assets or other assets on
behalf of a staff. Do corporate
services and other departments within
the organization notify HR of any
asset(s) procured on behalf of staff
members that need to be returned at
Page 229 of 296
the point of exit?
Verify that disengaged staff are
promptly disabled from all enterprise
systems and applications to prevent
the risk of unauthorized access to
those systems. Also, confirm that the
process of communication of
disengagement is effective.
3. Risk of fire Implement physical Verify that employee files are properly
outbreak, and environmental and safely stored in fire proof cabinets
environmental security controls. to secure it from unauthorized
threat as well as tempering or fire.
unauthorized
activities, due to
lack of physical
security controls.
Verify that smoke detectors were
installed in rooms where employee
files are stored.
Verify that CCTV cameras were
installed in the file rooms to monitor
and record activities of users/staff in
the room.
4. Risk of multiple Implement a Verify that disengaged staff are
payments, over procedure for the promptly removed/disabled from the
payment or review of payroll data payroll and other information systems
payment of and as well as of the organization to ensure that
unearned salaries payments to staff salaries and allowance are not further
and allowance to members to ensure paid to them after separation.
staff. data integrity.
Conduct data integrity check on the
payroll with ACL Analytics software to
ensure that duplicate payments in
salaries and allowances were not
made to staff while unearned salaries
and allowances are not paid to
disengaged staff after their exit.
Compare the list of active staff in the
payroll as against list of active staff in
employee database to ensure there
Page 230 of 296
are no discrepancies (e.g. ghost staff,
duplications, etc.).
Verify that the effective dates of
separation of staff that have
disengaged from the organization’s
employment were properly captured
to for data integrity checks on the
payroll and correct computation of
the staff exit entitlements were
applicable.

Human Resource Information System (HR Software)
1. Risk of Implement Identify all Portals used by HR
compromise of adequate department, e.g. Leave portal,
the application application security Recruitment portal, Appointment
confidentiality, controls. Confirmation portal, E-quiz portal,
integrity and Learning and Development
availability due to Management Portal, etc.
lack of
application
controls.
Verify that all the portals (e.g. Leave
portal, E-quiz portal, confirmation
portal and recruitment portal, etc.)
have application controls that
ensure separation of duties, access
restriction and authorization controls
were necessary.
Page 231 of 296
keep logs of activities of users in the
application and information that will
be aid investigation activities when
the need arises are captured.
Verify that adequate access control
and authentication mechanism
were implemented to protect all the
portals (e.g. Leave portal, E-quiz
portal, confirmation portal and
recruitment portal, etc.) from
have test/development
environments for testing of changes
and simulation before
implementation on production
servers.
Verify that there is adequate
separation of duties among the
application developers,
administrators, operating system
administrators and the database
administrators.
Risk of Implement a Identify the database management
unauthorized procedure for the system (DBMS) being used for all the
access on the review of database portals (e.g. Leave portal, E-quiz
database, users, security portal, confirmation portal and
compromise as configuration as well recruitment portal, Learning &
well as lack of as audit trail. Development, etc.). Confirm that the
audit trail. version of DBMS being used is not
lower than MSSQL Server 2012.
Verify that there is adequate logical
access control on the database and
users are authenticated on the
Page 232 of 296

database with their individual
unique user ids and passwords.
Request for the database user lists
for concerned applications and
ensure that users granted access
are all authorized.
and their respective databases are
not administered developers.
Application databases should be
administered by the DBA team while
the application and its user
management are administered by
the business unit and IS Control.
Identify system/service accounts in
all portal databases and verify their
use and those that have the
passwords to the account.
have test environment for their
database and live data are not
directly used as test data without
concealing them.
Page 233 of 296

S/N Risk Controls Procedure
HR Software Review
1. Unauthorized Implement Verify that HR application was
access and lack adequate delivered with user and technical
of audit trail. application controls. manuals as well as data dictionary
to support application users and
support personnel.
Verify that the users gain access to
the application with their individual
unique user ids and password and
the authentication mode adopted
for the application is adequate and
promote security.
Review Operating System users and
confirm that all accesses were
granted on the need-to-do basis
and that unauthorized were not
given access.
Verify the workflow process on the
application and ensure that there is
adequate maker/checker control
on the application.
Ensure that the application maintain
adequate audit trail of users’
activities. Such audit trail should not
be limited to login, logout, failed
login, modification, configuration
changes.
Risk of Implement a Review the database access list and
unauthorized procedure for the confirm that only authorized users
access on the review of database were granted access. Also, confirm
database, users, security that users’ roles in the database are
compromise as configuration as well in line with their job functions.
well as lack of as audit trail.
Page 234 of 296
HR Software Review
audit trail.
Review the process of granting
access to the database and confirm
that the process is adequate and in
line with approved policies and
procedures.
Verify that the DBMS holding data
was not configured to use its default
port, which is public knowledge. For
example, MSSQL Server database
default port is 1433 while that of
Oracle is 1522.
Verify the version of DBMS being
used for HR Software database?
Ensure that unsupported versions of
DBMS are not used because of their
flaws. For example, MSSQL Server
2003, 2005 and2008 are no longer
supported by the Software Vendor.
MSSQL Server 2012 and above
version is recommended.
Verify that production data are not
directly used as test data in the test
environment without concealment
to ensure information confidentiality
and integrity for sensitive employee
information. This is given that security
is deemphasized in the test
environment and third-party vendors
are usually given access to the test
environment.
Verify that the test and production
environments are logically
separated for each other (i.e. not
installed on the same physical or
virtual servers). This is to ensure that
they are not subjected to the same
security threat since the test
Page 235 of 296
HR Software Review
environment is accessible to vendors
who usually have unrestricted
access to the application and its
database.
Review the users that have been

granted access to HR application
database to confirm they were duly
authorized. Also, verify that users
access the database with the
unique user ids and passwords while
an adequate authentication
mechanism was adopted.

DATA BACKUP AND REDUNDACY FOR HR APPLICATIONS.
1. Inability to Implement a data Verify that prompt and regular data
promptly resume back of procedure backup of all the portal databases
business as well as redundant (e.g. Leave portal, E-quiz portal,
operations in the system processing for confirmation portal and recruitment
Page 236 of 296

event of system all HR applications. portal, etc.) are taken and stored
crash or disaster offsite for adequate protection.
due to lack of
data back and
loss of critical
data.
Verify the recovery point objective
(RPO) and recovery time objective
(RTO) of all HR portals has been
determined and documented.
Verify that logs of activities of
database users are being captured,
reviewed as well as retained on
external backup media to ensure
availability when needed during
investigation.
Verify that there is adequate
redundancy for all HR portals and
applications to provide support for
the live servers in the event of their
downtime, systems crash or disaster.
Page 237 of 296

CHAPTER – 14 Audit of Perimeter
Network Security
Audit Checklist for Perimeter Network Security

Network Logical Access Control
Page 238 of 296

Confirm that network Authentication, Non-implementation of
Authorization and Accounting (AAA) AAA on the network for
solution is being used to administer access administration
Network access on all network devices such as could lead to
Logical switches, routers, firewalls, IPS/IDS, unauthorized access or
1.
Access Wireless controllers, etc. TACACS or breach of network
Control RADIUS solutions could be used and security.
should authenticate via the active
directory.
Obtain list of users on the ACS or Risk of unauthorized
RADIUS solution and confirm that all access.
users are authorized and access were
granted on the need-to-do basis and
relevant for users' job functions.
Confirm that users granted level 15 Risk of unauthorized
access on the ACS or RADIUS are all access or modification of
network super users/administrators for network device
either routers, switches or firewalls. configurations by non-
Other non-super users should be super users.
granted level 5 access on relevant
network devices to enable them carry
out basis network administration. This is
to prevent unauthorized changes to
the configurations of the devices.
Confirm that remote administration or Risk of unauthorized
access to all network devices by the access.
administrators are via SSH connection
and such access are through the ACS
or RADIUS, which is AD authenticated.
Network Remote Access Controls
Page 239 of 296

Obtain list of employees and
authorized third parties (contractors,
Network vendors, etc.) that were granted
2. Remote Virtual Private Network (VPN) rights on
Access. the network for access to network
resource over the internet (i.e. through Risk of unauthorized
the frontend/internet firewall). access.
Confirm that all VPN users have been
assigned unique user ids and
passwords either locally on the internet
firewall or with their AD credentials via
the ACS/RADIUS. Also, confirm that
one-time password (OTP) token
authentication is used each time a
connection session is to be established Risk of unauthorized
on the network. access.
Confirm that VPN access are granted
on the need-to-do basis. As such, users
are only granted access to specific
resources on the network that they
require to carry out their duties as
requested in the VPN access request
form. For example, access to specific
application, V-LAN(s) or servers.
Global/unrestricted access shall not
be granted to any staff via VPN as this
contravenes that Information Security Risk of unauthorized
policy. access.
Confirm that all VPN access are
backed up by an IT Service request
and VPN access request forms.
Information Security Operations
Department must provide the access
forms used to grant all VPN access on Risk of unauthorized
the internet firewall. access.
Page 240 of 296

Confirm that VPN users have been
sensitized (either via email or
disclaimer notice clearly stated in the
VPN access form and signed by the
users) on their responsibility as
employees and third parties with
remote access privileges to ensure
that the use of such privileges does not
violate the organization’s policies and
that the access is not used to perform
activities that are illegal under Nigerian
and International law, and outside the
organization’s business interests.
Consequence of violations should also
be clearly communicated to ensure Risk of unauthorized
accountability. access.
Confirm that all hosts that are
connected to the organization’s
internal networks via remote access
technologies must use the most up-to- Risk of unauthorized
date anti-virus software access.
Confirm that VPN use is controlled
using either password authentication
or a public/private key system. Risk of unauthorized
access.
Confirm that all VPN traffic to and from
the PC used to connect to the
organization’s network are tunneled
specifically via the VPN and other
traffic are dropped. IIT Operations
department shall provide evidence or
rule that enforces this control Risk of unauthorized
requirement as specified in the policy. access.
Confirm that VPN gateways has been

set up and managed by team who Risk of unauthorized
are responsible to do so as per policy. access.
Page 241 of 296

Ensure that session timeout control is
implemented on the VPN connection
interface that will ensure that all VPN
users are automatically disconnected
from the organization’s network after a
predefined period of inactivity (e.g. 10
minutes idle time). The user must then
logon again to reconnect to the
network. Pings or other artificial
network processes are not to be used Risk of unauthorized
to keep the connection open. access.
Confirm from the VPN access request
forms that the approvals of the
relevant stakeholders were obtained
for all VPN access request in line with Risk of unauthorized
the information security policy. access.
Confirm that VPN access are reviewed
every quarter by responsible
department to ensure that
expired/irrelevant access still existing
on the VPN are removed/revoked. The
department should provide evidence
that this quarterly review are being Risk of unauthorized
carried out as appropriate. access.
3. Firewall Security
Remove access list (rules) on the
firewall with zero (0) hit (i.e. rules no Obsolete
longer in use). This is to optimize rules increase the attack
performance and enable the firewall surface and can be
Firewall to process legitimate traffic. exploit.
Not specifying service for
a rule imply that any
service could utilize the
rule set, which could
Ensure no rule that allow "any" service create vulnerability for the
between two hosts are granted. device.
Ensure that the firewall access list (rule Inadequate visibility on
set) include "explicit deny statement" the firewall by the
(explicit "deny ip any any log" rule). administrator could lead
This is enable the administrator have to non-detection of
Page 242 of 296
visibility on the dropped traffic. unauthorized activity or
DoS attacks.
Not commenting on each
access list rule set on the
firewall could lead to
creation of multiple acl
rules performing the same
Ensure that access list rule sets are function and as such,
commented to aid in easy result to performance
identification of the rule and its degradation of the
function. firewall.
Lack of effective
management and central
Ensure that AAA authentication is administration of the
enabled on the firewall. This is to firewall could let to
enable the firewall be effectively unauthorized access,
managed and monitored using administrative overhead
ACS (TACACS+) or RADIUS. and duplication of effort.
Risk of unauthorized
Ensure that AAA authentication for access if AAA
interactive management interface authentication for
have been enabled. This will ensure interactive management
that users login using a valid username interface is not
and password. implemented.
This is to restricted users to
specific and authorized
Ensure that AAA servers and protocols protocols and prevent
have been defined. unauthorized access.
SSH version 1 has a known
vulnerability, which
Ensure that only SSH version 2 is prompted the release of
enabled on all network devices. version 2.
Ensure that management console line
(line 0) password has been set with
strong password encryption (enable
secret). The password command Using default or well-
causes the firewall to enforce use of known passwords makes it
strong password to access the user easier for an attacker to
mode. gain entry to the device.
Ensure that firewall has been This configuration restricts
configured for ASDM management remote management
Page 243 of 296
access control. access via HTTPS for ASDM
to authorized
management subnets
only and minimize the
device attack surface
and prevent potential
compromise.
Telnet should not be used
for remote management
of the firewall and as such,
should be disabled given
that it is weak protocol
Ensure that only SSHv2 was enabled for and transmit users'
remote management of the device. credentials in plain text.
Ensure that session timeout was
configured on the firewall to This is to prevent
automatically disconnect a login unauthorized users from
session after a fixed period of idle timehijacking or misusing
(say 5minutes). abandoned sessions.
This restricts access to
the device to only
approved management
subnet. Restriction
prevents unauthorized
parts/sections of the
Ensure that SSH access control is network from accessing
required for the firewall device. the device.
Banners are electronic
messages that
communicate legal rights
to users that login to the
device. Banners establish
a system administrator's
common authority to
Ensure that EXEC, Login, MOTD and consent to a law
ASDM banners were configured as enforcement
appropriate. investigation.
This is to serve as a
Ensure that at least one user was set on fallback authentication in
the console line the event that the
(local) access to the device. centralized AAA service is
Page 244 of 296
unavailable.
SNMPv1 and SNMPv2 use
Ensure that only SNMP version 3 are clear text community
enabled on the firewall device. string, which are
SNMPv1 and SNMPv2 considered weak
should be disabled. security implementation.
Ensure that SNMP read access, which
allows remote monitoring and SNMPv1 and SNMPv2 use
management of the device be clear text community
disabled except when needed string, which are
importantly for lower SNMPv1 and considered weak
SNMPv2. security implementation.
It eliminates difficulty
troubleshooting across
Ensure that local time zone is set on the different time zones
device. This command explicitly and correlating time
configures the device to coordinated stamps for disparate log
universal time (UTC). files across the network.
Attackers can potentially
use DHCP to carryout
Ensure that DHCP server service is not denial-of-service (DoS)
configured on the device. attacks.
Logging to external system
provides for protected
long-term storage of logs,
which would otherwise be
lost due to device limited
internal logging buffer
capacity. It also keeps the
Ensure that the firewall is configured to logs away from the
submit logs to one or more syslog device administrators who
servers for central event correlation. It could delete or tamper
can be configured to send logs to SIEM with the logs to conceal
syslog server such as Arcsight. their activities.
Ensure that the firewall is configured for NSEL provides greater
Netflow secure event logging (NSEL), visibility into traffic flow
which monitors traffic flow through the passing through the
firewall. network.
Ensure that the firewall device clock is Without NTP clock
synchronized with the Network Time synchronization, the
Protocol (NTP) server to enable reliable accuracy of time
Page 245 of 296
correlation of events based on the and sequence of events
actual sequence they occurred. would be diminished.
Without NTP message
Ensure that the firewall is configured to authentication,
authenticate NTP messages from the an attacker can spoof the
NTP server. devices NTP server.
Outdated OS versions
usually have known
vulnerabilities, which
Ensure that the device is running on can be exploited by an
authorized OS version. attacker.
This reduces the risk of
Ensure that the firewall is configured someone accessing an
such that it closes connections after already established
they become idle to minimize impact but idle connection. It also
to memory and resources available for reduces the likelihood of
new connections. DoS attack.
When intrusion detection
is enable on the firewall,
the device can detect
unusual activities using
informational and attack
signatures and take
necessary action like
drop the packet or close
the connection. Attack
signatures identify
activities that are or lead
to exploitation. This would
not be detected by the
firewall if intrusion
Ensure that intrusion detection is detection policies are not
enabled on the firewall. set.
Accepting packet
fragmentation makes it
Ensure that fragment chain possible for an attacker to
fragmentation is disabled to prevent submit large number of
fragmented packets on external or packet fragments to
high risk interfaces. cause fragmentation DoS.
Ensure that traffic inspection is Traffic inspection should
Page 246 of 296
enabled on the firewall for commonly be performed for all traffic
attacked protocols to ensure that only both inbound and
legitimate requests outbound, matching the
are permitted. enabled protocols to
prevent threats
associated with the
protocols.
Ensure that object groups are used to The use of object group in
simplify ACL policy rules on the firewall access control entries
by grouping services, networks and makes firewall rules easier
protocols. to troubleshoot and audit.
Page 247 of 296

CHAPTER – 15 Audit of Database
Security
Audit of Database Security
Page 248 of 296

Oracle Database Audit Requirements
Below are list of commands to be executed (as a batch) on the Oracle database to be
reviewed to retrieve information that will enable the IT audit team validate the adequacy
of Oracle configuration files, tables and database controls.
· SELECT * FROM PRODUCT_COMPONENT_VERSION;
· SELECT * FROM DBA_REGISTRY_HISTORY WHERE TO_DATE(TRIM(TO_CHAR(ID)),
'YYMMDD') > SYSDATE-90 AND ID > 160000;
· SELECT * FROM DBA_USERS_WITH_DEFPWD WHERE USERNAME NOT LIKE '%XS$NULL%';
· SELECT * FROM ALL_USERS;
· SELECT * FROM ALL_TABLES;
· SELECT * FROM V$PARAMETERS;
· SELECT * FROM V$VERSION;
· SELECT * FROM DBA_USERS;
· SELECT * FROM SYS.DBA_PROFILES;
· SELECT * FROM SYS.DBA_ROLES;
· SELECT * FROM DBA_ROLE_PRIVS;
· SELECT * FROM USER_ROLE_PRIVS;
· SELECT * FROM SYS.DBA_SYS_PRIVS;
· SELECT * FROM SYS.DBA_TAB_PRIVS;
· SELECT * FROM SYS.UTL_FILE;
· SELECT * FROM SYS.UTL_SMTP;
· SELECT * FROM SYS.UTL_TCP;
· SELECT * FROM SYS.UTL_HTTP;
· SELECT * FROM SYS.UTL_FILE;
· SELECT * FROM SYS.DBMS_RANDOM;
· SELECT * FROM SYS.DBMS_ADVISOR;
· SELECT * FROM SYS.DBA_STMT_AUDIT_OPTS;
· SELECT * FROM SYS.DBA_PRIV_AUDIT_OPTS;
· SELECT * FROM DBA_OBJ_AUDIT_OPTS;
Please note that the following will also be require, however the commands/files are
required to be extracted/executed at the operating system level.
· INIT<SID>.ORA
· TNSNAME.ORA
· LISTENER.ORA
· PROTOCOL.ORA
· OPATCH LSINVENTORY -DETAIL
Oracle Database Audit Checklist
S/N Test Procedure Risk Implication Recommendation

Page 249 of 296
Oracle Database Installation and Patch Management
1. Ensure that the relevant The Oracle database, if not Download and apply
versions/releases/patch protected against new the latest Oracle
es of Oracle Software threats, and existing patches/releases/patch
are Installed. Check the weaknesses can be es as required.
Oracle site for the latest exploited by internal or
release of the version external hackers to gain
you use. unauthorized access. The
longer known vulnerabilities
remain untreated, the more
likely they will be exploited
2 Ensure that default Default passwords are The Database
passwords of all Oracle usually "well known" to Administrator (DBA) can
database default attackers as they are log on to the database
accounts are changed. available on the internet for and manually change
Some of such accounts everyone. If default the passwords to the
are, SYS, SYSTEM, OUTLN, passwords are not default Oracle
MDSYS, SCOTT, CTXSYS, changed, any hacker with accounts. Most of the
DNSNMP, MGT_VIEW, access to the database Oracle default accounts
etc. can authenticate as the may not necessarily be
user with that default used to administer the
password. The situation database. As such, it is
becomes more dangerous recommended that the
if privileged accounts are DBA manually expire or
involved. lockout all the
unneeded default
accounts or run an SQL
script, which will
automatically expire or
lockout the accounts.
However, SYS and
SYSTEM accounts should
not be expired or
lockout as doing so
contradict the vendor’s
(Oracle Inc)
recommendations and
as such, could result in
extended service
disruption during
emergency. The SYS and
Page 250 of 296
SYSTEM accounts are
considered “accounts of
last resort” and are
needed to restore the
database.
3 Ensure all sample data Sample data is typically not Remove sample data
and default accounts required for live operations and unneeded default
have been removed of the database and accounts by executing
from the database. provides attackers with well- the following SQL script.
known default passwords,
procedures, views, and $ORACLE_HOME/demo/
functions. Such default user schema/drop_sch.sql
accounts, views, and/or Then, execute the
procedures/functions could following SQL statement.
be used to launch attack DROP USER SCOTT
on the production CASCADE;
database environment.
Oracle Parameter Settings

4 Confirm that Allowing Listener The DBA should set the
'SECURE_CONTROL_<liste configuration changes via SECURE_CONTROL_<liste
ner_name>' is set in unencrypted remote ner_name> for the
'listener.ora' file connections could result in listener in the listener.ora
unauthorized users sniffing file if required by the
the control configuration organization.
information on the network.
The need of the
organization should be
considered in setting the
control values.
5 Ensure 'extproc' is not ‘extproc’ should be Remove extproc from
present in 'listener.ora' removed from the the listener.ora file.
file. listener.ora file to mitigate
the risk of OS libraries being
invoked via the Oracle
instance.
Page 251 of 296

6 Ensure Setting Set the
'ADMIN_RESTRICTIONS_<li ‘ADMIN_RESTRICTIONS_<liste ADMIN_RESTRICTIONS_<li
stener_name>' is Set to ner_name> to ‘ON’ blocks stener_name> to
'ON' unprivileged users from the value ‘ON’.
making alterations in the
listener.ora file via a remote
connection or service,
which will help in ensuring
data confidentiality and
integrity. The organization’s
needs should be
considered while making
this setting.
7 Ensure Allowing Listener Set
'SECURE_REGISTER_<liste configuration changes via SECURE_REGISTER_<listen
ner_name>' Is Set to unencrypted remote er_name> = TCPS
'TCPS' or 'IPC' connections could result in or
unauthorized users sniffing SECURE_REGISTER_<listen
the control configuration er_name> = IPC for
information on the network. each listener in
The need of the $ORACLE_HOME/networ
organization should be k/admin/listener.ora file.
control values.
Database Configuration settings
8 Ensure If the parameter Set
'AUDIT_SYS_OPERATIONS' ‘AUDIT_SYS_OPERATIONS’ is AUDIT_SYS_OPERATIONS
Is Set to 'TRUE' set to FALSE, all statements to ‘TRUE’ and
except of Startup/Shutdown SCOPES=PFILE
and Logon by
SYSDBA/SYSOPER users are
not audited.
9 Ensure 'AUDIT_TRAIL' is set Setting ‘AUDIT_TRAIL’ to ‘OS’ Set the ‘AUDIT_TRAIL’
to 'OS' or 'DB,EXTENDED'. or ‘DB’ enable basic parameter to either ‘OS’
auditing features for the or ‘DB’ as follows:
Oracle instance, which ALTER SYSTEM SET
permits the collection of AUDIT_TRAIL =
data for troubleshooting 'DB,EXTENDED' SCOPE =
purpose in addition to SPFILE;
providing value
information/logs in the OR
Page 252 of 296
event of system breach.
However, it is ALTER SYSTEM SET
recommended that the AUDIT_TRAIL = 'OS'
value be set to ‘OS’ to SCOPE = SPFILE;
prevent the DBAs from
having access to the logs
since the logs will be not
accessible to them at the
operating system level
because they are not OS
administrators (i.e.
segregation of duties). If the
value is set to ‘DB’, the DBA
have access to the logs
because the logs are being
stored in a table in the
database. This could give
room for them to
delete/purge or modify the
logs to conceal trail of their
activities on the database.
10 Ensure Where database Set ‘GLOBAL_NAMES’
'GLOBAL_NAMES' is set connections is not required parameter to TRUE
to ‘'TRUE' to match with the domain
being called remotely, ALTER SYSTEM SET
unauthorized domain GLOBAL_NAMES = TRUE
sources could be allowed SCOPE = SPFILE;
to potentially connect to
the database via brute
force attack. The need of
the organization should be
control values.
Page 253 of 296

11 Ensure 'LOCAL_LISTENER' The TNS poisoning attack, To set the
parameter is set which could result from not ‘LOCAL_LISTENER’ to IPC
appropriately. making this setting allows protocol, running the
unauthorized users with following script.
network access to redirect
TNS network traffic to ALTER SYSTEM SET
another system by LOCAL_LISTENER='[descri
registering a listener to ption]' SCOPE = BOTH;
the TNS listener. This will Replace [description]
prevent the registering of with the appropriate
listeners via TCP/IP since the description from your
IPC protocol has been listener.ora file,
specified in the setting. where the description
sets the PROTOCOL
parameter to IPC.
For example: ALTER
SYSTEM SET
LOCAL_LISTENER='(DESC
RIPTION=(ADDRESS=(PRO
TOCOL=IPC)(KEY=REGIST
ER)))' SCOPE=BOTH;
12 Ensure Setting the value of Set the
'O7_DICTIONARY_ACCES 'O7_DICTIONARY_ACCESSIBI 'O7_DICTIONARY_ACCES
SIBILITY' Is Set to LITY' as TRUE leaves the SYS SIBILITY' to FALSE using
'FALSE' schema open to the following script.
connection could permit
unauthorized access to ALTER SYSTEM SET
critical data/table O7_DICTIONARY_ACCES
structures. The need of the SIBILITY=FALSE SCOPE =
organization should be SPFILE;
control values.
13 Ensure 'OS_ROLES' is set Allowing the operating Set ‘OS_ROLES’ to FALSE
to 'FALSE' system use external groups by running the following
for database script.
management could cause
privilege overlays and ALTER SYSTEM SET
generally weaken the OS_ROLES = FALSE
security of the database. SCOPE = SPFILE;
The need of the
Page 254 of 296
control values.
14 Ensure Permitting a remote Set ‘REMOTE_LISTENER’

'REMOTE_LISTENER' listener to connect to parameter to null or
parameter is Empty the database instance empty by running the
could lead to potentially following script.
spoofing of the
connections, which could ALTER SYSTEM SET
compromise data REMOTE_LISTENER = ''
confidentiality and SCOPE = SPFILE;
integrity. The parameter
should be
disabled/restricted in line
with the needs of the
organization.
15 Ensure Using remote password Set
'REMOTE_LOGIN_PASSW login file could allow ‘REMOTE_LOGIN_PASSO
ORDFILE' is set to NONE. unsecured privileged RDFILE’ to NONE by
connections to the running the following
database. The need of the script.
considered in making this ALTER SYSTEM SET
setting. REMOTE_LOGIN_PASSW
ORDFILE = 'NONE'
SCOPE = SPFILE;
Page 255 of 296

16 Ensure Permitting OS roles/users Set
'REMOTE_OS_AUTHENT' is to connect to the database 'REMOTE_OS_AUTHENT'
set to 'FALSE'. (i.e. setting this parameter to 'FALSE' by running the
to ‘TRUE’) could lead to the following script.
spoofing of the
connections and allow ALTER SYSTEM SET
granting the privileges REMOTE_OS_AUTHENT =
of an OS role to FALSE SCOPE = SPFILE;
unauthorized users. The
need of the organization
should be considered in
making this setting.
17 Ensure Allowing remote OS roles Set 'REMOTE_OS_ROLES'
'REMOTE_OS_ROLES' is to have permissions for to 'FALSE' by running the
set to 'FALSE' database management following script.
could cause privilege ALTER SYSTEM SET
overlays and generally REMOTE_OS_ROLES =
weaken the security of the FALSE SCOPE = SPFILE;
database. The need of the
considered in making this
setting.
18 Ensure 'UTIL_FILE_DIR' The use of util_file_dir to Set 'UTIL_FILE_DIR' to null
parameter is Empty create directories give or empty by running the
room for the following script.
manipulation of files in
these directories. ALTER SYSTEM SET
UTIL_FILE_DIR = “” SCOPE
= SPFILE;
19 Ensure Not enabling this parameter Set
'SEC_CASE_SENSITIVE_LO result is users selecting weak SEC_CASE_SENSITIVE_LO
GON' is set to 'TRUE' database passwords. GON parameter to TRUE
by running the following
script.
ALTER SYSTEM SET

SEC_CASE_SENSITIVE_LO
GON = TRUE SCOPE =
SPFILE;
Page 256 of 296

20 Ensure Allowing unlimited number Set
'SEC_MAX_FAILED_LOGI of login attempts for 'SEC_MAX_FAILED_LOGI
N_ATTEMPTS' Is Set database users can N_ATTEMPTS' to ‘10’ by
to '10' facilitate both brute force running the following
or dictionary. The failed script.
login attempt parameter
(e.g. 10) to be set should be ALTER SYSTEM SET
based on the need of the SEC_MAX_FAILED_LOGIN
organization. _ATTEMPTS = 10 SCOPE =
SPFILE;
21 Ensure Allowing the database Set
'SEC_RETURN_SERVER_RE to return information 'SEC_RETURN_SERVER_RE
LEASE_BANNER' is set to about the LEASE_BANNER’
'FALSE' patch/update release parameter to FALSE by
number could facilitate running the following
unauthorized access to the script.
database based upon
known ALTER SYSTEM SET
patch weaknesses. SEC_RETURN_SERVER_REL
However, this setting should EASE_BANNER = FALSE
be made according to the SCOPE = SPFILE;
needs of the organization.
22 Ensure that non- Allowing non-administrative Review should be

privileged users (i.e. non- users to perform such carried out to ascertain
DBAs) are not granted functions as alter any table, whether any non-
admin privileges on the create any table, create privileged user(s) has
database that will database link, delete any been granted the listed
enable them perform table, drop any table or privileges on the
admin functions such as update any table is a database. Such admin
alter any table, create security risk and should not privileges should be
any table, create be allowed. revoked from non-
database link, delete administrators
any table, drop any accordingly.
table or update any
table.
Page 257 of 296

23 Ensure 'SQL92_SECURITY' Setting Sql92_security Set SQL92_SECURITY
is set to 'TRUE' parameter to “FALSE” could parameter to TRUE by
make the database running the following
vulnerable to SQL injection script.
attacks by unauthorized
users who could perform ALTER SYSTEM SET
update or delete functions SQL92_SECURITY = FALSE
in the database. SCOPE = SPFILE
24 Ensure Allowing read permission Set _TRACE_FILES_PUBLIC

'_TRACE_FILES_PUBLIC' is means anyone could to FALSE by running this
set to 'FALSE' read the Oracle instance's script.
trace file, which contains
sensitive information ALTER SYSTEM SET
about the instance "_trace_files_public" =
operations. However, this FALSE SCOPE = SPFILE;
setting should be made
according to the needs of
the organization.
25 Ensure that ‘FAILED_LOGIN_ATTEMPTS’ ‘FAILED_LOGIN_ATTEMPT
‘FAILED_LOGIN_ATTEMPT parameter set to say ‘3’ for S’ parameter for
S’ parameter set for service or application application service and
service or privileged accounts on the database other privileged account
accounts that are used could result in denial of should be set to
to automatically insert service attacks being easily ‘UNLIMITED’ to ensure
records/transactions in launched by a user with continuity of transaction
the database are set to nefarious intent by arbitrarily on the database.
unlimited to prevent the attempting logging in to the
accounts from being database with the account
locked out maliciously. 3 times with the intention of
Doing so could let to locking out the accounts.
service or transaction
failures.
26 Ensure that ‘Execute’ Granting execute privilege Revoke ‘Execute’
privilege was not to ‘PUBLIC’ on the listed privilege from ‘PUBLIC’
granted to “Public” (i.e. database packages on the listed database
all database user) on increase the attack surface packages to ensure
the following database of the database as these database security.
packages packages could be used to
(DBMS_ADVISOR, compromise/exploit the
DBMS_CRYPTO_TOOLKIT, database.
Page 258 of 296
DBMS_JAVA_TEST,
DBMS_JOB, DBMS_JOB$,
DBMS_LCR, DBMS_LDAP,
DBMS_LDAP_UTL,
DBMS_OBFUSCATION_TO
OLKIT, DBMS_RANDOM,
DBMS_SCHEDULER,
DBMS_SQL, DBMS_SQL2,
DBMS_XMLGEN, UTL_FILE,
UTL_HTTP, UTL_INADDR,
UTL_SMTP, UTL_TCP,
UTL_URL, HTTPURITYPE,
UTL_MAIL).
27 Ensure that the Default Not changing the default Change the default
Oracle port (1521 to Oracle port and agent ports Oracle port and agent
1526) and agent port to different port numbers on ports in the Listener.ora
(1821 to 1826) change Listener.ora and and Tnsname.ora files to
and not used to Tnsname.ora files increases protect the database
connect to the the possibility of packets from packet sniffing
database. sniffing attacks on the attacks.
database.
28 Ensure 'RESOURCE_LIMIT' Where resource_limit is Set the 'RESOURCE_LIMIT'
is set to 'TRUE' set to FALSE, system to TRUE by running the
resource limits set in following script.
any of the database
profiles are not enforced. ALTER SYSTEM SET
However, if the RESOURCE_LIMIT = TRUE
resource_limit is set to SCOPE = SPFILE;
TRUE, then the limits set
in respective database
profiles are enforced.
Page 259 of 296

Connection and Login Controls
29 Ensure If failed login attempts Set
'FAILED_LOGIN_ATTEMPT parameter is set to 'FAILED_LOGIN_ATTEMPT
S' is less than or equal unlimited, it can be used S parameter for each
to '5' to launch brute force PROFILE to the value ‘5’
login attack on the or in line with the
database. However, this password policy of the
setting should be made organization. The
according to the needs of following script can be
the organization. run to make the setting.
ALTER PROFILE
<profile_name> LIMIT
FAILED_LOGIN_ATTEMPTS
5;
30 Ensure This setting lock out the user Setting
'PASSWORD_LOCK_TIME' after a given period of 'PASSWORD_LOCK_TIME'
is greater than or inactivity or idle time. The for each PROFILE to
Equal to '1' user will need to input value ‘1’ or in line with
his/her password to access password policy
the account. requirement of the
organization. The
following script could be
used to effect the
setting.
ALTER PROFILE
<profile_name> LIMIT
PASSWORD_LOCK_TIME
1;
31 Ensure This is the password ageing Set
'PASSWORD_LIFE_TIME' parameter, which is used to 'PASSWORD_LIFE_TIME' to
Is Less than or determine the life time of a less than or equal to
Equal to '90' selected password. This is a value ‘90’ or applicable
risk of successful brute force to the password policy
login attack if password of the organization. Run
does not expire. The value the following script to
to set should depend on the effect the setting.
password policy
requirement of the ALTER PROFILE
organization. <profile_name> LIMIT
Page 260 of 296
PASSWORD_LIFE_TIME 90;
32 Ensure This password parameter Set

'PASSWORD_REUSE_MAX' prevents the reuse of 'PASSWORD_REUSE_MAX'
Is Greater than or password within a short to Greater than or equal
Equal to '20' period of time after the to ‘10’ or ‘20’ (as
initial selection of a applicable to the
password. Not making this password policy of the
setting could lead to high organization). Use the
probability of success for following script to effect
social engineering and the setting.
brute force attacks.
Setting should conform to ALTER PROFILE
the organization’s password <profile_name> LIMIT
policy requirement. PASSWORD_REUSE_MAX
20;
33 Ensure This password parameter Set
'PASSWORD_REUSE_TIME' prevents the reuse of 'PASSWORD_REUSE_TIME’
Is Greater than or password within a short to Greater than or equal
Equal to '365' period of time after the to ‘365’ (as applicable
initial selection of a to the password policy
password. Not making this of the organization). Use
setting could lead to high the following script to
probability of success for effect the setting.
social engineering and
brute force attacks. ALTER PROFILE
Setting should conform to <profile_name> LIMIT
the organization’s password PASSWORD_REUSE_TIME
policy requirement. 365
Page 261 of 296

34 Ensure This parameter is used to Set
'PASSWORD_GRACE_TIM allow grace period (e.g. 5 'PASSWORD_GRACE_TIM
E' Is Less than or days) for a user to change E’ to less than or equal
Equal to '5' his/her password after to ‘5’ (as applicable to
which his/her account is the password policy of
locked. The user is usually the organization). Use
warned or alerted to the following script to
change his/her password effect the setting.
within the grace period. This
helps to prevent ALTER PROFILE
password-based attack <profile_name> LIMIT
against forgotten or PASSWORD_GRACE_TIM
abandoned accounts, E 5;
while the account is
allowed. Setting should
conform to the
organization’s password
policy requirement.
35 Ensure This setting ensures Enable custom
'PASSWORD_VERIFY_FUN password complexity password verification
CTION' Is Set for requirements are met such function to conform to
All Profiles as, case sensitivity, the password policy
alphanumeric and special requirements of the
characters, etc. This ensure organization.
selection of strong
passwords than cannot be
guessed by a hacker and
can potentially thwart
logins by unauthorized
persons. Setting should
conform to the
policy requirement.
Page 262 of 296

36 Ensure This setting limits the number Set 'SESSIONS_PER_USER'
'SESSIONS_PER_USER' Is of sessions a user can open to less than or equal to
Less than or Equal concurrently per time ‘10’ (as applicable to
to '10' (SESSIONS_PER_USER). It the password policy of
could help to prevent the organization). Use
memory resource the following script to
overutilization by poor effect the setting.
request or intentional
Denial of Service (DoS) ALTER PROFILE
attacks. Setting should <profile_name> LIMIT
conform to the SESSIONS_PER_USER 10;
policy requirement.
37 Ensure no user is It is generally Setting the Default
assigned the 'DEFAULT' recommended that users profile with the following
Profile except they have be created with specific script as required by the
the need to use the function/custom profile with organization’s password
profile. privileges required to and access control
perform their duties. The policies.
DEFAULT profile defined by
Oracle, is subject to ALTER USER <username>
change at any time PROFILE
when patches are applied <appropriate_profile>
or version changes. The
DEFAULT profile has
unlimited settings that
are usually required by
the SYS or SYSTEM default
user accounts. Such
unlimited privileges should
be reserved only to super
user accounts used for
administrative functions and
not for ordinary users.
Page 263 of 296

Unwarranted System Privileges
38 Ensure that 'GRANT GRANT ANY OBJECT Revoke 'GRANT ANY
ANY OBJECT PRIVILEGE parameter if not OBJECT PRIVILEGE' by
PRIVILEGE' is revoked revoked could allow an running the following
from Unauthorized unauthorized user to script.
'GRANTEE' possibly access/change
confidential data or REVOKE GRANT ANY
damage the data set OBJECT PRIVILEGE FROM
of an Oracle instance <grantee>;
access. However, this
the organization.
39 Ensure 'GRANT ANY GRANT ANY ROLE Revoke 'GRANT ANY
ROLE' Is Revoked parameter if not revoked ROLE' by running the
from Unauthorized could allow an following script
'GRANTEE' unauthorized user to
possibly access/change REVOKE GRANT ANY
confidential data or ROLE FROM <grantee>;
damage the data set
of an Oracle instance
the organization.
40 Ensure 'GRANT ANY GRANT ANY PRIVILEGE Revoke 'GRANT ANY

PRIVILEGE' Is Revoked parameter if not revoked PRIVILEGE' by running
from Unauthorized could allow an the following script
'GRANTEE' unauthorized user to
possibly access/change REVOKE GRANT ANY
confidential data or PRIVILEGE FROM
damage the data set <grantee>;
of an Oracle instance
the organization.
Page 264 of 296

41 Ensure 'DBA' is Assigning DBA role to a Revoke ‘DBA’ by running
revoked from non-DBA user is regards as the following script
unauthorized excessive access and
'GRANTEE' provides more than REVOKE DBA FROM
required privileges or <grantee>;
access to the user, which is
not based on the least
privilege principle for
access. This could give
room for data breaches,
unauthorized access and
denial of service attacks.
Audit Trail and Logging Controls

42 Enable 'USER', 'ALTER Not enabling these audit Ensure that the listed
USER', 'DROP USER', settings or parameter could audit settings or
'ROLE', 'SYSTEM GRANT', lead to missing of vital audit parameters are enabled
'PROFILE', 'ALTER trail that will aid in to provide vital audit trail
PROFILE', 'DROP investigating unauthorized of users and
PROFILE', 'DATABASE activities on the database. administrators’ activities.
LINK', 'PUBLIC DATABASE Any unauthorized attempts
LINK', 'PUBLIC SYNONYM', to create, alter, drop,
'SYNONYM', 'GRANT update or delete any user
DIRECTORY', 'SELECT ANY data or system parameter
DICTIONARY', 'GRANT would not be logged for
ANY OBJECT audit trail
PRIVILEGE', 'GRANT ANY
PRIVILEGE', 'DROP ANY
PROCEDURE',
'PROCEDURE', 'ALTER
SYSTEM', 'TRIGGER',
'CREATE SESSION'
Audit Option
Page 265 of 296

SQL Server Database Audit Requirements
The following commands should be run on Microsoft SQL SERVER to be reviewed.
· SELECT NAME, CAST(VALUE AS INT) AS VALUE_CONFIGURED, CAST(VALUE_IN_USE AS

INT) AS VALUE_IN_USE FROM SYS.CONFIGURATIONS;
· SELECT SERVERPROPERTY('ProductLevel') as SP_installed,
SERVERPROPERTY('ProductVersion') as Version;
· SELECT db_name(database_id) AS db, name, data_space_id, physical_name
FROM sys.master_files;
· SELECT SERVERPROPERTY('IsIntegratedSecurityOnly') as [login_mode];
· execute xp_loginconfig 'audit level';
· SELECT * FROM SYS.ASSEMBLIES;
· SELECT * FROM sys.databases;
· SELECT * FROM sys.server_principals;
· SELECT * FROM master.sys.server_permissions;
· SELECT * FROM FROM sys.sql_logins;
Please note that the following will also be require, however the commands/files are
required to be extracted/executed at the operating system level.
· Open SQL Server Configuration Manager; go to the SQL Server Network
Configuration. (print screen).
· Powershell (PS) C:\>Get-WmiObject -Class Win32_Service
· Print screen showing tracelog file in the OS.
· Print screen showing schedule backup settings.
Page 266 of 296

SQL Server Database Audit Checklist
1. Ensure that ‘Ad Hoc This feature if not disabled Disable ‘Adhoc
Distributed Queries’ could be used to remotely distribution queries’ on
option are disabled on access and exploit MSSQL Server.
MSSQL Server. This is vulnerabilities on remote
because it allows users SQL Server instances. It be
to query data and used to run unsafe
execute statements on application functions.
external data sources.
2 Ensure that CLR Allowing the use of CLR Disable CLR assemblies
assemblies is disabled on assemblies increases the on MSSQL Server.
MSSQL Server instance. attack surface of SQL Server
and puts it at risk of
malicious assemblies.
3 Ensure the db_owner If this option is not disabled, Disable db_owner role
role is disabled on the a member of the db_owner on the database or
database instance as it role in given database can obtain management
permits cross-database gain access to objects approval to accept its
ownership chaining in owned by a user/account use as a residual risk if
SQL server instance. in another database, which needed.
is excessive disclosure of
information
4 Ensure that database Allowing this feature Disable database
mailing in MSSQL Server (database mail) increase mailing feature on the
is disabled. the SQL Server attack SQL server instance.
surface and make the
database vulnerable to
DOS attacks and data theft
from database server to a
remote host.
5 Ensure that extended Allowing extended stored Disable extended stored
stored procedures (‘Ole procedures increases the procedures on the SQL
Automation attack surface of the SQL database server
Procedure’), which Server database as users instance.
allows SQL Server users could execute functions in
to execute functions SQL Server without any
that is external to SQL restriction.
Server is disabled.
Page 267 of 296

6 Ensure that execution of This remote access feature Disable remote stored
local stored procedures could be abused to launch procedure on local
(i.e. ‘Remote access’ a Denial-of-Service (DoS) server and vice versa on
option) on remote attack on remote servers SQL Server database.
servers or remote stored through query processing
procedures on local off-load.
server are not permitted
on SQL Server.
7 Ensure that ‘Remote The Dedicated This feature should be
admin connections’ is Administrator Connection enabled or disabled
enabled (i.e. ‘1’) if (DAC) allows an according to the need
running SQL Server administrator access to run of the organization.
failover to cluster or diagnostic functions, SQL
disable (i.e. default ‘0’) if statements or problem
not in used. This setting troubleshooting on the
controls whether a client server, even when the
application on a remote server is not responding to a
computer can use the SQL Server Database
Dedicated Administrator Engine connection or
Connection (DAC). locked.
8 Ensure that ‘Scan for Revoking this control Revoke ‘scan for startup
startup procs’ feature or minimizes the risk of it being procs’ on SQL Server
option is disabled on SQL used to cause harm to the instance to safeguard
Server database, which database. the database.
causes SQL Server to
scan and automatically
run all stored procedures
that are set to execute
when service is started.
9 Ensure that ‘SQL Mail Disabling this service Disable ‘SQL Mail XPs’ on
XPs’ service/feature is reduces the SQL Server SQL Server database.
disabled on the attack surface, make the
database. database less vulnerable to
DOS attacks and prevent
data theft from database
server to a remote host.
10 Ensure that The TRUSTWORTHY option Disable database

TRUSTWORTHY option is permits database objects to TRUSTWORTHY option.
disabled on the access objects another
database. database within specific
Page 268 of 296
conditions.
11 Ensure that xp_cmdshell This service is commonly Disable xp_cmdshell
is disabled on the SQL used by attackers to read or service/feature on the
Server database. write data to/from the database.
underlying Operating
System of a SQL database
server.
12 Ensure that execute Revoking this permission will To do this, generate a list
permission on help secure SQL Server of users and database
xp_instance_regread is database. roles that are granted
revoked from public. execute permission on
registry extended stored
procedures. Revoke
execute right on
xp_instance_regread
from public.
13 Ensure that SQL Server This reduces SQL Server Disable ‘SA’ account on
database super user attack surface given that SQL Server Database as
account (‘SA’) is ‘sa’ is a default account, assign privileges of this
disabled. which is known to every account to a Database
attacker on the internet. Administrator.
Disabling this account and
assigning its privileges to
another user (preferably the
DBA) is the best practice.
14 Ensure that login to built- Built-in administrator Drop login to built-in
in administrator account allows members of administrator
(BUILTIN\Administrator) administrator group on the (BUILTIN\Administrator)
account is dropped on operating system of SQL on SQL Server database.
SQL Server database. Server automatic admin
right to the database even
though they are not DBAs.
Maintaining this account will
not ensure separation of
duties between the
database administrators
and the operating
system/server
administrators.
15 Where ‘SA’ account is to Doing so will reduce the Rename ‘SA’ account to
be retained on SQL attack surface and prevent with an abstract name if
Page 269 of 296
Server database. ensure the account from being it is to be used.
that ‘SA’ account is exploited given that it is a
concealed by renaming known default account.
it with an abstract
name.
16 Ensure that CONNECT Revoking connect for guest Revoke CONNECT for
right is revoked from users reduces that guest users except for
guest user on each SQL database attack surface master and tempdb.
Database instance and prevent unauthorized
except master and access.
tempdb.
17 Ensure that only the The more components, Install or enable only
required components, services or features than required components,
service and features in required are installed or service and features in
the database are enabled, the more the line with least privilege
installed or enabled. database is exposed to principle.
compromise security
problems.
18 Ensure that latest service Installing all critical hot fixes Install latest patches,
packs and critical and patches prevent critical fixes and service
security hot fixes for SQL known vulnerabilities from packs on all SQL Server
Server are installed. being exploited to attack to secure the database
the database. from being
compromised.
19 Disable the unused SQL Enabling protocols that are Enable protocol on the
Server protocols. SQL needed is a security risk and need to use basis and in
Server supports the increase the surface level of line with the
following protocols: attack for SQL Server organization’s baseline
Shared Memory, Named database. Only enable the standard for SQL Server
Pipes, VIA and TCP/IP. protocols that is required Database.
and disable the others using
the SQL Server
Configuration Manager.
20 Ensure that access to Access to SQL Server Access to SQL Server
SQL Server configuration configuration and configuration and
and database files are database files should be database files should be
restricted and given only on the need-to- restricted according to
accessible to only the do basis and specifically to the policy of the
DBAs. DBA profiles. Not restricting organization.
these files could lead to
unauthorized access,
Page 270 of 296
copying, alteration or
deletion of the files, which
could result to service
unavailability.
21 Ensure that the default SQL Server is installed with Change default SQL
ports of SQL Server are the default TCP port 1433, Server ports (1433) in the
changed. This is to which is known to everyone SQL Server Configuration
prevent port scanning including attackers on the Manager to protect the
using those ports. internet. Attackers could database from known
launch target attacks or attacks.
port scanning using those
default ports if not changed
during set up.
22 Ensure that Transparent This is to enhance the Configure Transparent
Data Encryption (TDE) is integrity of data stored in Data Encryption (TDE) on
used as encryption of the database. SQL Server.
choice in SQL Server
database.
23 Ensure that execute Not revoking these Revoke execute rights to
rights to 'PUBLIC' on extended stored ‘PUBLIC’ on the listed
extended stored procedures potentially extended stored
procedures are revoked increase the attack surface procedures.
to protect the database. of the database.
The following extended
stored procedures
should be executed by
any applicable:
xp_availablemedia,
xp_dirtree,
xp_enumgroups,
xp_fixeddrives,
xp_regaddmultistring,
xp_regdeletekey,
xp_regdeletevalue,
xp_regenumvalues,
xp_regremovemultistring,
xp_regwrite, xp_regread,
xp_servicecontrol,
xp_subdirs.
24 Ensure that every user The use of shared logins or Disabled all shared
and administrator in SQL generic accounts do not logins or generic
Page 271 of 296
Server database have a ensure accountability, accounts that are used
named login account. responsibility and non- by administrators or
Shared logins or use of repudiation of other users to access the
generic accounts should users/administrators’ actions database. Service
not be allowed. on system when required accounts should only be
during investigation of created for applications
security breach on the and not used for any
database. login activity.
25 Ensure that users and Administrative activities/jobs Revoke all SQL Server
administrators logon to are made easier if users and logins and grant users
SQL Server database administrators are granted access to the database
using their Active access to the database via via the Active Directory.
Directory (AD) the Active Directory groups
credentials rather than or Group Policy. All that is
SQL Server logins. The required is to add a user to
use of SQL Server logins be member of a
should be discouraged group/container on the AD
within the organization that have already granted
due to its administrative access to the database.
overhead. Access can easily be
withdrawn once the user
have been disabled on the
AD.
26 Ensure that service Using service accounts for Service accounts should
accounts are used for applications ensure that be used for applications.
applications. activities or transactions Individual or ‘sa’
Applications must not posted the database from account should not be
use individual or ‘SA’ those accounts are used to post transactions
account to insert or traceable/auditable (audit into the database.
retrieve data from the trail).
database. Required
level of access should
be granted to the
service accounts based
on the organization’s
business rules.
27 Ensure that application Restricting the rights of Review all application
service accounts are application service service accounts and
configured with the least accounts to the services ensure that rights are
privileges required for being rendered is critical in granted in line with the
the service being prevent abuse, fraudulent least privilege principle.
Page 272 of 296
rendered. activities and unauthorized
access. Access rights not
required should be revoked.
28 Ensure that password Weak password parameter Implement strong
policy implemented on setting results to users and password parameter
the SQL Server for administrators selecting requirements on SQL
Administrators meet the weak passwords, which are Server Database. As
required standard and vulnerable to brute force such as possible, use the
baseline of the and dictionary attacks. Active Directory to
organization. The manage user access to
following password the database.
parameter must be set;
password ageing,
complexity requirement,
length, idle time, case
sensitivity, etc.
29 Ensure that SQL Server There is a risk that activities Enable trace log on SQL
login auditing log of users and administrators Server database to
(xp_loginconfig audit will be retrieved for review capture audit trail of
level parameter for both during investigation if the users and other activities
failed and successful trace logs are not activated as required.
logins) and trace logs to capture such activities.
are configured while the
logs are backed up to
external removable
media from the OS
where they are stored.
The trace log could also
be consolidated into a
DAM (Database activity
monitoring) tool such as
Imperva.
30 Ensure that SQL Server Allowing a database to run Migrate all database
instances running on on unsupported SQL Server running on unsupported
supported database and operating system SQL Server and
and operating system versions is a security risk for operating system
versions (e.g. SQL Server the organization as the versions to newer
and Windows Servers database could still be supported versions to
2000, 2003, 2007, 2010) vulnerable to known protect the organization
are decommissioned vulnerabilities that have from security breaches
and the affected been resolved in newer and support related
Page 273 of 296
databases migrated to versions. Also, the challenges.
newer and supported organization will not be able
versions of SQL Server to get support on
and operating systems unsupported versions of SQL
Server or operating systems
when needed.
31 Ensure no local group Allowing local OS group Revoke all local OS
(i.e. Windows or UNIX) account login access to an group accounts that
are allowed to have SQL Server database is a have login rights to SQL
Logins right on SQL security rights as OS users Server database and
Server database. This with the required rights use the Active Directory
provides a loophole could add users to the service to manage such
whereby anyone with group thereby giving such access instead.
OS level admin rights users express access to the
could add users to the database. This could be
local groups account done better if such group
and thereby give account a created and
themselves or others managed directly using the
undue access to the SQL Active Directory (AD)
Server instance. service.
Page 274 of 296

CHAPTER – 16 Audit of Virtualized
Infrastructure
Page 275 of 296

Audit of Virtualized Infrastructure (VMware, ESXi Host, VCenter, VBlock, Vmax,
Vmotion)
Below are commands to execute on the VM infrastructure to obtain audit information.
PowerCLI command:
· Foreach ($VMHost in Get-VMHost ) { $ESXCli = Get-EsxCli -VMHost $VMHost;

$ESXCli.software.vib.list() | Select-Object @{N="VMHost";E={$VMHost}}, Name,
AcceptanceLevel, CreationDate, ID, InstallDate, Status, Vendor, Version; }
· # List the NTP Settings for all hosts
Get-VMHost | Select Name, @{N="NTPSetting";E={$_ | Get-VMHostNtpServer}}
· # List all services for a host Get-VMHost HOST1 | Get-VMHostService # List the
services which are enabled and have rules defined for specific IP ranges to access
the service Get-VMHost HOST1 | Get-VMHostFirewallException | Where
{$_.Enabled -and (-not $_.ExtensionData.AllowedHosts.AllIP)} # List the services
which are enabled and do not have rules defined for specific IP ranges to access
the service Get-VMHost HOST1 | Get-VMHostFirewallException | Where
{$_.Enabled -and ($_.ExtensionData.AllowedHosts.AllIP)}
· # List Net.DVFilterBindIpAddress for each host Get-VMHost | Select Name,
@{N="Net.DVFilterBindIpAddress";E={$_ | Get-VMHostAdvancedConfiguration
Net.DVFilterBindIpAddress | Select -ExpandProperty Values}}
· verify-ssl-certificates
· # List Syslog.global.logDir for each host Get-VMHost | Select Name,
@{N="Syslog.global.logDir";E={$_ | Get-VMHostAdvancedConfiguration
Syslog.global.logDir | Select -ExpandProperty Values}}
ESXi Shell or vCLI Commands:

· esxcli software acceptance get
· esxcli software vib list
· esxcli system module list
· Run per module “esxcli system module get -m <module>”
· vim-cmd proxysvc/service_list
Page 276 of 296

Audit Checklist for Virtual Infrastructure (VMware, ESXi Host, VCenter, VBlock,
Vmax, Vmotion)
S/N Test Procedure Risk Implications Recommendation

1 Ensure that patch The Vsphere and The VMware update
management of the Virtual VMware hosts are not manager, which can
machine hosts is automated protected against new help automate the
and regular as required. This threats, and existing patch management
is to make sure that the weaknesses can be process of the
Vsphere and VMware hosts exploited by internal or VMware hosts should
are not running on outdated external parties to gain be utilized for the
patches. The latest Vshpere access and/or control patch management
5.5/6.0 patch level is 10 build our Vsphere and VM process to ensure the
3568722 not any of these ware hosts if regular Virtual infrastructure
VMware ESXi, 5.5.0, 2068190. updates are not are adequately
applied. The longer patched.
Vulnerabilities are commonly known vulnerabilities
discovered in hypervisors, remain untreated, the Also, explore the
operating systems, software, more likely they will be option of subscribing
and hardware components. exploited causing to VMware Security
These vulnerabilities are denial of service, advisory updates on
often mitigated by vendor embarrassment and vulnerabilities and
provided software or financial loss as the patches.
firmware patches. organization will be
unable to process
Refer to : transactions on
https://kb.vmware.com/selfs applications hosted on
ervice/microsites/search.do? affected Virtual
language=en_US&cmd=displ Machines.
ayKC&externalId=1014508
Page 277 of 296

2 Ensure that performance The organization is not VMware tool should
enhancing VMware tools are realizingf the benefits of be installed on all
installed and not outdated its investment in the Virtual Machines
on Virtual Machines. virtual infrastructure as where applicable
VMware tool is the package a result of non- while upgrade to the
of drivers and utilities that installation of VMware latest version should
make Virtual Machines run tools on the Virtual be done on Virtual
better, faster and helps with Machines. Effective Machines where the
resource optimization on the Memory resource VMware tool is
Virtual Machines. One of the management, outdated.
reasons for embracing prevention of data
virtualization is the dynamism corruption during
of computer resources and backup are some of
agility to respond to business these benefits.
request promptly
1. VMware Tool's Memory

balloon driver reduces the
physical memory that a VM
uses and is a key component
of VSphere memory
management.
2. VMware Tool's Sync driver

quiesces, a Virtual Machine
to prevent data corruption
during a backup and file-
level restore.
3. VMware Tool enables and

improves VMware High
availability.
4. Graceful / clean
shutdown or restart of Guest
OS to prevent data
corruption is not possible
without VMware tools.
Page 278 of 296

3 Memory Capacity Organization not Memory sticks should
Management. realizing its investment be checked for
in the virtualized proper placement on
Ensure that there is no infrastructure. Also, the the servers and if
variation in the memory number of virtual adjudged faulty,
capacity installed on the machines that can be should be replaced.
Virtualized infrastructure created per server is
against the memory reduced.
available for use in the
infrastructure.
4 Ensure that the time on It will be difficult if not Vsphere Hosts should
Vsphere Hosts are impossible to compare be synchronized with
synchronized/controlled by log files from different the NTP server to
recommended Network Time systems and establish ensure they obtain
Protocol (NTP) server. an exact sequence of and have accurate
event. Inaccurate time on them at all
Network Time Protocol allows device clock will times.
administrators to set the mislead investigation of
system time on all their security incidents and
compatible systems via a frauds by both internal
single source, ensuring a disgruntled staff and
consistent time stamp for malicious external
logging and authentication parties that occurred
protocols. Keeping time on the Virtual
settings consistent across a infrastructure.
network is vital if log data is
to be meaningful and usable
in understanding faults and
security incidents
Page 279 of 296

5 Ensure that central remote Determining the cause Central logging to
logging for all user activities of a compromise by an ArcSight should be
on ESXi hosts are configured attacker is very difficult, configured on all ESXi
if not impossible, hosts and the
The logs of users’ activities on without aggregated Vcenters
VMware should be sent to system and user activity
the ArcSight SIEM tool and logs. Refer to:
though they are by default http://pubs.vmware.c
saved on a "non-persistent om/vsphere-
Scratch file" on VMware 55/index.jsp?topic=%2
hosts and Vcenter. Fcom.vmware.vspher
This scratch files are most e.security.doc%2FGUI
times wiped out at every D-9F67DB52-F469-
reboot of the VMware. 451F-B6C8-
Logging and the ability to DAE8D95976E7.html
track user activities are
critical in preventing,
detecting, or minimizing the
impact of a data
compromise. The presence
of logs in all environments
allows thorough tracking,
alerting, and analysis when
things go wrong.
6 Ensure that excessive If administrative VMware makes
privileges are not granted to privileges are loosely provision for ESX
users on the Vsphere and widely distributed, Admin group, which
Vcenter. the attacker has a can be created on
All members of Domain much easier/longer the AD and
Admins should not have time gaining full control populated with only
administrative right on of systems, because users that are meant
Vsphere Vcenter by default, there are many more to carry out
which is the administrative accounts that can act administrative
platform for the whole as avenues for the operations on the
VMware infrastructure. attacker to infrastructure. This
Excessive access privilege compromise the should be explored
granted to users who do not system. and used to ensure
expressly require them could only users who
lead to abuse/compromise expressly need access
of these privileges. to the Vsphere
Vcenter are granted
Page 280 of 296
access.
7 Ensure that same generic Lack of accountability if The generic account

account on the VMware, the generic/privileged should be disabled.
Vsphere and Vcenter account is However, if required
infrastructure are not used to compromised and used for operation, the
administer the system. for unauthorized privileged account
This account should also not activities on the should be tied to the
be configured as virtualized infrastructure. Head of system
administrator on the Vsphere administration team
Vcenter. with proper
documentation for
accountability.
8 Ensure that the virtual If these settings are not Ensure Vswitch
machine data traffic is not set to Reject, denial of security setting is
breached due to the service attack can be consistently set to
parameters configured for staged and integrity of reject for promiscuous
virtual machine switch data breached once a mode, MAC Address
security. Virtual Machine can be Change, Forged
made to send data as if Transmit as part of
Using parameters it were the originating host Vmkernel
Promiscuous mode, MAC VM via MAC Address adapter
address change and forged change and forged configuration. Host
transmit - VMware provides transmit. profiling/baseline
internal security settings, implementation will
which when properly come in handy here.
implemented limit sniffing of
data traffic across the virtual
infrastructure. Compliance
requires consistency across
all virtual switches created.
Setting Virtual switch to

Accept MAC Address
change and Forged
Transmit, permits Virtual
Machines to send frames
with an impersonated source
MAC address. This allows an
intruder to stage malicious
Page 281 of 296

attacks on devices in a
network.
9 Ensure that access to the Risk of disruption of In line with the

VMware Infrastructure are service on the VMware principle of defense-
restricted to only hosts, which houses in-depth, access to
administrator's workstation. most of the critical the VMware
All user workstations should applications given that infrastructure (via
not connect to the VMware unauthorized Web, Client, SSH)
Vcenter. The firewall setting workstations /users can should be restricted to
on the ESXi hosts can restrict connect to the host to IP addresses of
workstations who can conduct malicious approved
connect to it if configured. activities such as administrators and
vulnerability scans and monitoring
While it is true that carrying exploitation attempts applications.
out administrative task on on the VMware
servers from their local Vcenter.
console would be
cumbersome for
Administrators, it is
imperative to limit the
number of workstations that
can be used to administer
these sensitive infrastructures.
10 Ensure adequate redundant 1. Disruption of service if Ensure the Internal
Network interface cards for these Network interface LAN network and
critical VMware host. cards fail. Vmotion networks
Using one Physical Network 2. Service failure as have double Network
Interface card for Internal customers will not be Interface cards for
LAN communication and a efficiently serviced. redundancy.
single Network Interface
card (NIC) for Vmotion
instead of double NICs for
each of these services is
inadequate.
Failure of any of the
adapters leads to service
unavailability for Virtual
servers and the applications
the servers support.
Page 282 of 296

11 Ensure adequate Network Performance issues/ 1. Management
management of the VMware bottlenecks as traffic network and Vmotion
Infrastructure and separation meant to have been network should be
of the Network used for separated are all separated. They can
Management of Vmotion channeled through the be configured on the
and open network same network. same teamed
communication. physical NICs but with
Vmotion network is different VLAN.
responsible for VM high 2. The separated
availability, Fault tolerance network should also
while all administrative be isolated from
access to the Virtual routed VLAN that
infrastructure and Vmkernel other production
heavy traffic ride on servers.
management network.
12 Ensure that the This configuration/ All teamed uplink
redundant/backup Network arrangement Network Interface
Physical Adapters speed is introduces Cards (NICs) on Hosts
not lower than the primary inconsistency and should be connected
Network adapter speed on performance issues in to the same external
some VM hosts. user experience when switch to provide
the primary Network uniform network
The network adapters with adapter fails and speed.
varying network speed are failover to the backup
group together, to provide interface occurs.
redundancy. However,
variation in the speed of the
primary network adapter say
1000Mbps from the speed of
back up/redundant network
adapter say 100Mpbs is
inappropriate and will not
ensure consistency and
performance.
Page 283 of 296

13 Ensure that backup and Negative impact on Back up activities
restore operations of the services running on the should be carried out
Virtual Machines are not Local area network on a separate
carried out using the open bandwidth as the /private Local area
network, which contends burden of the backups network.
with real time data traffic will lead to heavy
and imposes data burden on performance
local area network degradation affecting
bandwidth. core services/
applications,
Best practice dictates messaging
creating private network infrastructure and other
entirely dedicated to critical services'
backup operations to response times if there is
eliminate data burden on any need to do data
local area network restoration for failed
bandwidth. virtual machine data.
14 Ensure that unused/idle Such Virtual Machine Unused/idle Virtual
Virtual Machine are can be used by Machine should be
shutdown. unauthorized users to deleted to prevent
compromise sensitive unauthorized use of
In the event that the VM is data, flowing through the VM for malicious
configured for packet the Virtual switch activities on the
sniffing or IDS, it implies the connected. network.
Virtual Machine can sniff
and intercept all data traffic
sent to the parent virtual
switch.
15 Ensure that shared password Lack of accountability, Create non-root user
are not used for responsibility and non- accounts for
administrative management repudiation of representative of
of individual Host server. administrators’ actions approved
The password to the root on system. This will also administrators with
account on host servers in hamper speedy issue privilege to administer
the virtual machine should resolution and ESXi Host directly and
not be shared by containment when change the root
administrators. fraud occurs. password in line with
password complexity
rules.
Page 284 of 296

16 Ensure that user idle timeout If a user forgets to Idle time should be set
settings are not set at default logout of their session, in line with approved
value for access methods to then the idle baseline/ information
the virtual infrastructure. connection will remain security policy of the
Sessions of users who have active indefinitely, organization. ESXi
not carried out any activity increasing the potential hosts, for example
on the VMware will not be for someone to gain should be set
dropped/closed as a result. privileged access to the (ESXiShellTimeOut=360
host. This could lead to 0s
Examples of some of the session hijack by an ESXiShellInteractiveTim
default settings are; unauthorized user for eOut=300s)
Web Client setting set at fraudulent purposes.
over 100 Minutes
VI client Idle time out setting
is not set. The VI client does
not time out at all
Uservars.EsxiShellinteractiveTi
meOut set to 0 on all hosts.
SSH log on to hosts do not
time out.
17 Ensure that Virtual servers Unnecessary All Virtual servers that
created on the Virtual consumption/utilization are no longer
Machine Host that are no of the system resources required should be
longer in use/non-functional especially storage decommissioned.
are decommissioned. which should be serving
Servers that are not in use if other critical
not decommissioned will still applications.
be utilizing resources on the
VM infrastructure leading to
unavailability of these
resources for other active/in
use servers.
Page 285 of 296

18 Ensure that consistent Security settings not Implement the
baseline configuration are consistently applied organization's
implemented for the Hosts. across the organization baseline settings/host
Host profiles/baseline production system may profiles on all the
configuration settings allow allow an attacker using VMware hosts.
an organization to bake its IT tools that are 1. Host Profile should
security requirements into easily/freely available be built for the Master
the host. on the internet to Host Server using
exploit known VMware Hardening
Security Settings for Host vulnerable services and Guide for ESXi Host.
firewall, remote logging protocols to gain 2. Host Compliance
setting, network security unauthorized access to check should be run
settings for Virtual Machine the organization's per host to ensure
kernel networks, SSL sensitive information. compliance
certificate, Host password 3. Host profile should
complexity, idle timeout and also be used for
others are applied uniformly deployment of future
to all hosts when host profiles ESXi hosts.
are implemented on the
hosts.
19 Ensure high availability for Running critical 1. Additional Host and
the Host providing service for applications on a load balance should
critical applications. singular host without be added for critical
adequate resources server host.
Failure of the host providing and immediate 2. Vsphere HA and
service for critical business continuity Distributed Resource
application could lead to plans exposes the Scheduling should be
disruption of services that the organization to enabled.
host supports. financial and
reputational loss.
Page 286 of 296

20 Ensure that trial licenses are Disruption of services if The organization
not used to power VMware the licenses expire and should ensure that it
Servers primarily hosting VMWARE refuses to renews its VMware
critical applications. renew the server licenses as at
organization's trial when due to forestall
VMware will have to bail out license. This could lead any embarrassment
such organization from to the Virtual Machines or unforeseen
experiencing denial of on the host shutting incidents by engaging
service and application down and the only VMware accordingly.
performance challenges by option will be to bring
releasing trial licenses if there them up on any of the
is an incident (please don't available Hosts (if any).
play into their hands). Do the This will cause heavy
right thing by obtaining the stress on available
required licenses for your resources, denial of
servers. service, and impact on
application
performance and
reduce the
infrastructure resilience
to withstand disaster.
21 Ensure high Datastores Disruption of service if 1. Increase Datastores
Utilization. the Datastores are full sizes.
and there are 2. Move some Virtual
Datastores are the emergency storage machines to less
repositories for virtual spikes, leading to the congested
machines. shutdown of the virtual Datastores.
machines and the 3. Consider
applications they implementation of
support. Datastores cluster
where distributed
resource scheduler
can be activated to
automatically
balance data
utilization.
Page 287 of 296

22 Ensure that Virtual Machines Disruption in service High availability
Host are guaranteeing and non-availability of should be configured
protection by Vsphere high the services running on and all virtual
availability. the VM Host should the machines checked to
host develop a fault. confirm protection
Vsphere High availability and high availability.
ensures there is a consistent
user experience and
interaction with application
even if the server hosting
them should develop fault. It
moves the application safely
to another server with
Vmotion.
23 Ensure that Virtual Machines Running Virtual Snapshots should only
are not running on machines on snapshots be used temporarily
snapshots. increases disk for less than 48 hours
Snapshots are great when a read/write operations after which data
VM is to be maintained or times as VM tries to should be committed
patched to preserve the file maintain data integrity back to the original
system and memory state of writing to extra 3 files VM file. All
the running application. instead of just one file. applications running
However, when they are Besides the pressure on on snapshots should
now used as the primary VM Datastores, disk latency be committed back
disk, it doubles read and also eventually impacts to respective vmdk
write operations times and on computer and files.
also creates extra files memory utilization
(.delta.vmdk, .vmsn files), reducing the overall
which can grow up to health quotient of the
occupy the same disk space server it runs from.
as provisioned for the original
VM vmdk file, hence putting
pressure on the Datastores
where the VM files are
stored.
Page 288 of 296

24 Ensure that inbuilt triggers Inability to proactively 1. Mail alerts should
and alarms are utilized for carry out infrastructure be configured for
proactive management of maintenance and critical performance
VMware infrastructure while management leading metrics at all levels of
also ensuring that generated to increased frequency management setting
trap alerts are cleared. of unavailability of thresholds that will
services. warn of impending
For greater user experience crisis (75% for warning
and convenience of system and above 85% for
administration, VMware critical or as
provides capability to applicable in the
measure metrics that can organization's
assist with prompt issue capacity threshold
troubleshooting and policy).
resolution. Some are alerts
that can only be seen when 2. Long standing
you log on to the generated alerts
administrative console, while should be worked on
there are those that can be and cleared to give
set to send mails. Alerts set to true picture of system
use default settings of health.
console notification and
sending notification trap to
local host.
25 Ensure that relevant tools are Inability to Proactively 1. Ensure challenges
used to monitor infrastructure carry out infrastructure with vRealize
health, capacity utilization maintenance and operation manager
and performance management. are resolved.
bottlenecks. Management will be 2. Dashboards should
reactive and based on be created
VMware vRealize operation symptoms after the fact highlighting
manager aggregates logs rather than proactively Performance
from the whole infrastructure, leading to increased bottlenecks, capacity
providing dashboards of frequency of utilization and health
information that can be unavailability of of the infrastructure
used for effective and services.
efficient virtual environment
management.
Page 289 of 296

26 Ensure adequate Performance 1. Review memory
provisioning of memory for bottlenecks which paging levels in the
VMs. could lead to service VMs with over
downtime and provisioned memory
Inconsistent performance will customer and carefully trim
be experienced at peak dissatisfaction. down provisioned
periods on the virtual memory and assigned
machines with under to less privilege VMs,
provisioned memory, which require
additional memory on
the same host.
27 Ensure good and adequate Increased Recovery NetBackup
Backup practices. time objective for infrastructure has the
critical services as a capability to back up
Complete backup for VMs, result of the need to Virtualization
which captures all Virtual prepare applications environments and
Machine state, Operating afresh, reconfiguring all should be configured
system settings, Application required settings to to take backup at
settings should be done. make virtual machine hypervisor level if
functional when available.
Backup of Vcenter attempting to restore
database should be taken. backed up data after a 2. Obtain licensed
Vcenter is the gateway disaster. Virtual Data
application that controls all protection product of
administrative functions in VMware. This can do
the virtual environment. It much more than
has its own settings and NetBackup and go as
database files. far as taking host
configuration backup.
3. Vcenter backup
should be done.
28 Ensure there is no disparity or Inability of the Disaster Capacity of the
gap in the capacity of recovery site to support infrastructure at the
primary processing facility all applications and Disaster recovery (DR)
Infrastructure compared to services adequately in site should be
the infrastructure in the the event of a disaster upgraded to match
Disaster Recovery/alternate at the primary the capacity at the
processing Site. processing site as a main processing
result of capacity issues. facility
Page 290 of 296

29 Ensure adequate 1. Operational Develop policies and
Documentation of Procedure inefficiency as a result procedures that
for Managing and of non-uniform cover all
Maintaining the VM. /substandard means of administrative
Approved documented operations activities.
Standard Operating /management of the
Procedures (SOP) for VM. 1. Acceptable
administrative and 2. Absence of SOPs Disaster recovery
maintenance activities on could also result in key practice.
the virtual infrastructure man risks situation
should be in place. which may lead to 2. Virtual infrastructure
service failure and Capacity planning.
errors.
3. VM resource
allocation right sizing
baseline document
for application server,
web server, database
server.
4. Treatment of Email
alarms sent in
response to changing
infrastructure
capacity challenges.
Page 291 of 296

Your feedback is invaluable to us
If you recently bought this book, we would love to hear from you! You can write a review
on amazon (or the online store where you purchased this book) about your last order! If
you bought this book from our website at http://oxleyconsults.com.ng/, we will appreciate
if you leave a review on our website! We will love to hear real client experiences and
feedback as part of our continual service improvement process.
How does it work?

To post a review on Amazon, just log into your account and click on the Create Your Own
Review button (under Customer Reviews) of the relevant product page. You can find
examples of product reviews in Amazon. If you purchased from another outlets/online
store, simply follow their procedures.
Once you have submitted your review, send us an email at info@oxleyconsults.com.ng

with the link to your review so we can properly thank you/appreciate your feedback.
Page 292 of 296

Discover Other Titles by Nwabueze Ohia
1. Auditing your Payment Cards Processes, Systems and Applications: A Step by Step
PCIDSS Compliant Audit Program
2. Auditing Your Windows Infrastructure, Intranet and Internet Security: A Practical Audit
Program for IT Assurance Professionals
3. IT Infrastructure Risk & Vulnerability Library: A Consolidated Register of Operational and

Technology Infrastructure Vulnerabilities for IT Assurance Professionals
Page 293 of 296

Connect with Nwabueze Ohia
Follow me on Twitter: @oxleyconsults
Friend me on Facebook: http://facebook.com/oxleytechnologiesinc
Subscribe to my blog: http://blog.oxleyconsults.com.ng/
Connect with me on LinkedIn: https://www.linkedin.com/in/ohia-nwabueze-btech-it-msc-
it-cisa-cobit-5-6a737516
Page 294 of 296

Page 295 of 296

Page 296 of 296

Auditing Your Information Systems and IT Infrastructurereprint

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Auditing Your Information Systems and IT Infrastructurereprint

Uploaded by

Copyright:

Available Formats

Page 1 of 296

This page intentionally left blank

Practical Audit Programs/Checklists for Internal Auditors

3. IT Infrastructure Risk & Vulnerability Library: A Consolidated Register of Operational and

Copyright © 2017 Nwabueze Ohia. All rights reserved

No part of this publication may be reproduced, stored in a retrieval system or transmitted

For information on all Oxley Technologies Inc.

For full list of trainings offered by the author, visiting http://oxleyconsults.com.ng/training/

How does it work?

Once you have submitted your review, send us an email at info@oxleyconsults.com.ng

Part I Audit Overview

Part II IT Systems, Processes and Infrastructure Audit

Part I Audit Overview ----------------------------------------------------------------------------------21

Chapter 2 The Audit Process -------------------------------------------------------------------------------34

Chapter 3 Audit of Data Centers ----------------------------------------------------------------------46

Chapter 4 Audit of Business Continuity and Disaster Recovery -----------------------------62

Chapter 5 Audit of Business Process Re-engineering (BPR) and Automation ----------75

Chapter 6 Audit of Governance of Enterprise IT -------------------------------------------------83

Chapter 7 Audit of Physical and Environment Security ----------------------------------------90

Chapter 8 Audit of Windows Infrastructure, Intranet and Internet Security -----------109

Chapter 9 Audit of Financial Technology and Electronic Payment Applications (Online

Chapter 10 Audit of Unix and Linux Operating System Infrastructure ---------------------158

Chapter 13 Audit of Employee/Human Resources Information Systems -----------------220

Chapter 14 Audit of Perimeter Network Security --------------------------------------------------234

Chapter 15 Audit of Database Security --------------------------------------------------------------244

Chapter 16 Audit of Virtualized Infrastructure ------------------------------------------------------271

· Leading practices in internal audit function

What You Will Learn and Benefit:

Who This Book Is For:

Internal audit provides independent, objective assurance and consulting activity

In answering the effectiveness question, the following should be considered.

It is important to note that measurement of effectiveness and efficiency of the internal

1. Audit plan coverage (audits performed as against audit plan).

Metric 1: Percentage of planned audit completed is a good way of measuring the

Metric 2: Quality of audit findings/observations made by the internal audit function is

Metrics 3: Improvements due to implemented recommendations is an important measure

Pre-audit engagement will require undertaking the following task.

The IT Audit Team

Competence of IT Audit Team

Data Preparation and Analysis

Onsite and Offsite Activities

Partnering with the Audit Client

Audit findings are collected through interviews of responsible persons, document

Grading and Rating

Corrective Actions and Remediation

Follow Up/Issue Tracking

Determining the Audit Universe

It is important to note that board/senior management or regulatory requested reviews

Determining the Audit Type

Investigation and Special Audit

Management use reports of such audit to implement drastic changes, sanction

Effective auditing through audit automation (use of audit management software)

Chapter 3 Audit of Data Centers

S/N Audit Area Risk Control Test Procedures

Confirm that operator

Confirm that every duty shift

Confirm that incidents

Risk of business Ensure that resource

Ensure that data

Do the other personnel in

Risk of service Implement a

PHYSICAL AND Implement Confirm that there is a

Are all visitors required to

and Disaster Recovery