Question Yes No N/A Remarks Are security risk types identified (e.g., Malware attacks, Denial of Service (DoS) attacks, Phishing, Brute-force attacks, Man-in-the-middle attacks, OWASP Top 10,Security misconfiguration errors, Zero-day attacks, etc.)? Security assessments are conducted periodically? Periodic security assessments reports are being prepared (i.e. quarterly, annually) Are security assessment reports being reviewed? Are security issues raised as a result of security assessments addressed timely? Are security implementation reports available? Security changes follow change management procedures? Changes to Security are identified, reviewed, and tracked to closure. Changes to Security are approved before being applied? How often do you review your audit logs? Do you perform regular backups? All data or only business critical? How often do you test your backups? Have you applied all applicable security patches? Do you have account management and access SECURITY QA CHECKLIST
controls in place?
What security products do you
already have (e.g., firewall, intrusion detection, and encryption)? Do you have a security plan in place? Who has access to it? Backup copies are completed on a routine schedule, tested regularly, and stored off-site? System logging, and routine procedures to audit logs, security events, system use, systems alerts or failures, etc. are implemented and log information is in placed where it cannot be manipulated or altered.
2. Checklist for Confidentiality
What controls does Security
Policy have in place that protect the confidentiality of data or information (e.g., data encryption)? What are the risks associated with the confidentiality of data or information associated with various technologies used? What monitoring of controls is in place to ensure the ongoing confidentiality of data or information? SECURITY QA CHECKLIST
3. Checklist for Integrity
What controls are in place to
ensure data integrity during input of data What controls are in place to ensure data integrity during computer processing of data? What are the risks associated with the storage of financial data (unauthorized access, theft or changes in data)? What controls are in place to ensure data integrity while it is stored on the entity’s system? What risks are associated with data transmission between systems, especially over the internet or via wireless technologies, and between systems?
4. Checklist for Availability
What risks are associated
with business continuity or disaster recovery? SECURITY QA CHECKLIST
What controls (plans) are in
place to restore the business activities if a disaster or catastrophic event occurs? What are the risks associated with availability of systems and business process embedded in technologies? What controls are in place to ensure availability of systems or automated business processes?