Have the systems been configured to automatically disable accounts that have been inactive for an excessive time period e. Verify that the accounts for all terminated employees have been disabled or removed from the systems.
Page 8 E 1. Is appropriate documentation available to support the authorization of each account and the approval of all access rights and privileges granted to each account? Is documentation available which supports periodic reviews of user access rights? Have the systems been configured to authenticate all users through a valid ID and password? Is a unique initial password assigned to all new accounts upon creation? Are the initial passwords assigned to all new accounts set as pre-expired, requiring the user to change the password upon the initial logon?
Have the systems been configured to enforce restrictions on password syntax and use? Are password dictionaries used? Are passwords hard-coded within scripts, batch files, or applications? Appropriate restrictions are in place over password syntax as required by relevant corporate policies and standards: Minimum password length e. Restrictions on password syntax i. Password lifetimes e. Restrictions on the ability to re-use passwords i.
Appropriate controls are in place to limit the number of invalid access attempts allowed before an account is locked or disabled e. Page 9 E 3. Consider: Are standards in place over the configuration of user profiles? Are privileges and access rights granted to individual user accounts or are they granted to groups and then allocated to users by assigning users to those groups?
Have standard access definitions been established by job function or service product? How are user profiles established? Are user profile templates used to create new user profiles?
Are existing profiles copied and modified to create a new profile? Are all new user profiles created from scratch? Are user profiles configured to ensure that users are restricted to appropriate applications and menus? Are users restricted from accessing the operating system command line in the production environment?
Are time restrictions placed on the use of the accounts? Are station restrictions placed on the use of the accounts? If login scripts are used, ensure that the login scripts are appropriately secured. Ensure that the home directory for each account is properly referenced and secured.
Ensure that the account has not been inactive for an unreasonable time period e. Consider: Are standards in place over the configuration of group profiles? Have standard group access definitions been established by job function or service product? How are group profiles established? Are default vendor supplied group profiles used? Are group profiles configured to ensure that users are restricted to appropriate applications and menus? Are the access rights assigned to group profiles reviewed and approved by appropriate management?
Page 10 E 4. Ensure that the group profiles are configured securely and comply with applicable corporate policies and standards. Review the access rights and privileges provided by the group profiles and ensure that the access rights and privileges are reasonable based upon the purpose of the profile i. Ensure that the user accounts assigned to each group profile are appropriate?
Consider: Are standards in place over the assignment and use of privileged accounts? Have superuser IDs been established to provide technical support staff with a means to address immediate, emergency platform problems? Is the number of users with privileged access appropriately limited? Are the passwords for super-user accounts i. Do administrators login directly to super-user accounts i. Do administrators login to their own unique accounts with administrative rights only when necessary to perform actions requiring those rights.
At all other times do the administrators log on with unique accounts that have been granted fewer rights? Are privileged user access rights reviewed on a regular basis by user management e. Do the privileges assigned to these accounts appear appropriate? Does documentation exist to support the authorization of each account and the approval of all privileges assigned to each account?
Are appropriate controls in place over the use of privileged predefined accounts supplied by the vendor i. Is the use of these accounts appropriately monitored? Do generic account IDs exist for any of the privileged accounts? If so, determine how management ensures accountability over the use of these generic accounts. Ensure that all privileged accounts are active and are not associated with a terminated employee. Page 11 E 5.
Based upon the purpose of each group, determine if the number of accounts assigned to each group appears reasonable. Does documentation exist to support the authorization of each account assigned to each privileged group?
Ensure that all accounts assigned to each privileged group are active and are not associated with a terminated employee. Are restrictions placed on accounts provided to contractors and temporary workers i. Are special developer accounts provided to developers to diagnose application problems in the production environment?
Is access to production environment read only? Are emergency IDs created to perform emergency systems maintenance? Page 12 E 8. If so, on what basis? Are authentication devices utilized to control remote access? Are modem phone numbers kept confidential?
Are procedures in place over the configuration of security for system directories and files? How are access rights for system directories and files determined and assigned? Who approves access rights for system directories and files? Page 13 F 1. Are procedures in place over the configuration of security for application directories and files?
How are access rights for application directories and files determined and assigned? Who approves access rights for application directories and files? Are procedures in place over the configuration of security for production data directories and files? How are access rights for production data directories and files determined and assigned?
Are current configurations in compliance with relevant policies and standards? Are filters utilized to select data from audit log files to generate meaningful and useful security reports? Are automated reporting facilities active: Alerts posted to system consoles Automatic pages for specific security events Automatic email messages generated for specific security events Are current security reporting processes and procedures in compliance with relevant policies and standards?
Page 15 G 3. Ascertain whether all known operating system fixes have been installed. If not, evaluate the justification for why available fixes have not been installed. Determine if procedures are in place to ensure that system administration personnel are informed of available operating system fixes in a timely manner. Determine if third-party security software is running on the servers. Network Overview Objective: To ensure that the audit team has a clear understanding of network components and interfaces which may impact the logical security of specific servers and workstations.
Obtain an understanding of the network environment at the site under review. NOTE: Determine if audit professionals responsible for network security have documentation regarding the network environment before initiating discussions with system administrators. Determine who is responsible for ensuring that the processing environment is in compliance with applicable corporate security policies and standards. Determine whether or not appropriate systems and security administration personnel are involved in defining corporate security policies and standards to ensure the applicability of the policies and standards throughout the processing environment.
Furthermore, to ensure that existing policies and standards are applicable throughout the processing environment and that all systems are in compliance with appropriate policies and standards. Determine if existing corporate security policies and standards are applicable to the environment under review. Determine if security administration personnel are aware of relevant corporate security policies and standards for the operating environment under review.
Identify the procedures in place to ensure compliance with relevant corporate security policies and standards. Determine if a process is in place to ensure that all systems and security administration personnel are informed of all relevant corporate security policies and standards. Determine if a process is in place to ensure that all new employees are informed of corporate security policies and standards. Determine if a security awareness program is in place to ensure that end-users are periodically informed of corporate security policies and standards to ensure that they are aware of their individual responsibilities relative to security.
Determine if processes are in place to ensure that individuals with security administration responsibilities are kept informed of key security advisories i. Determine if the role and responsibilities of Security Administrator have been formally defined and documented. Determine if individuals with security administration responsibilities are dedicated to security administration on a full-time basis?
If security administration is a parttime responsibility, determine if the individuals with security administration responsibilities have other responsibilities that are incompatible with the security administration function.
Objective: To ensure that appropriate processes are in place to ensure that individuals with security administration responsibilities are qualified to complete defined security administration tasks.
Evaluate the hiring process for system and security administration personnel. Determine if security administration personnel have been adequately trained to support the technology that they are responsible for. Ascertain if backup system and security administration personnel have been identified to provide systems support in the event that the primary administrator s are unavailable.
Security Administration Procedures Objective: To ensure that security administration responsibilities and activities have been adequately defined and documented to support the security administration function and to ensure that appropriate documentation is available to facilitate training processes for new administrators. Determine if documented procedures exist to support the security administration function and to facilitate the training process for new employees.
If documented procedures exist, ascertain if the documentation is up to date. If documented procedures exist, evaluate the documentation and determine whether the documentation is adequate to provide guidance in the event that primary security administration personnel become unavailable.
Evaluate the use of third-party tools to complete security administration activities. Determine if in-house developed automated processes e. Servers Objective: To ensure that adequate controls are in place over the installation and configuration of server hardware. Determine if formal policies and standards exist for the installation and configuration of server hardware. Determine if processes are in place to ensure that server installations are in compliance with applicable policies and standards.
NOTE: If reliance is placed on third-party security systems e. Determine if formal policies and standards exist for the configuration of the operating system under review. If policies and standards exist, identify which of these policies and standards are applicable to the environment under review. Determine if procedures are in place to ensure compliance with applicable policies and standards throughout the configuration process for operating system installations and upgrades.
Operating System Configuration - Configuration Process Objective: To ensure that adequate controls are in place over the configuration of operating system installations and upgrades. No further testing of controls over systems software maintenance is necessary as these controls are addressed in the change management audit programs. Determine if standard operating system configuration images are maintained to ensure the consistency of all operating system configuration efforts.
Determine if all operating system security configurations are appropriately authorized as well as adequately reviewed and approved by appropriate management prior to being introduced into the production environment. Determine if adequate records are maintained to document all modifications and fixes to operating system security. Ensure that operating system configuration procedures include steps to ensure compliance with all relevant corporate policies and standards.
Ensure that appropriate records are maintained to document all deviations from relevant corporate policies and standards. Operating System Configuration - System Security Parameters Objective: To ensure that existing operating system security parameters are configured to secure settings and are in compliance with best practices and relevant corporate policies and standards. Review relevant corporate policies and standards for the operating system under review. Tailor this audit program to ensure that audit procedures are designed to ensure that operating system configuration settings are in compliance with those policies and standards.
Evaluate existing best practices for the configuration of operating system security parameters. Tailor this audit program to ensure that applicable best practices are considered in the audit approach.
Evaluate current operating system configuration settings to ensure that the settings are in compliance with relevant corporate policies and standards and conform to best practices. Ensure that all default passwords for predefined system accounts have been changed. Determine if the configurations for predefined system account profiles have been changed from the vendor settings. If so, determine why and evaluate the effect of the changes on system security.
Determine if the configurations for predefined group profiles have been changed from the vendor settings. Ensure that all guest accounts have been disabled or removed from the system. Ensure that all defined system services have been approved and are in compliance with relevant configuration policies and standards.
Ensure that all systems services are configured to appropriate system ports. Ensure that processes are in place to prevent the operating system from being booted with unauthorized configuration settings. System Utilities Objective: To ensure that adequate controls are in place over the use of sensitive system utilities. Evaluate procedures in place to restrict access to powerful and sensitive system utilities. Identify those installed utilities that have the ability to bypass system level security.
Determine if any scripts, command procedures, or applications have been developed which have the ability to bypass system security. Identify the accounts and groups with access to system utilities. Ensure that the number of users with access to these utilities is reasonable and appropriate based upon the users job function.
Determine if formal policies and standards exist for the configuration of the thirdparty security system under review. Determine if procedures are in place to ensure compliance with applicable policies and standards throughout the configuration process for security system installations and upgrades.
Security System Configuration - Configuration Process Objective: To ensure that adequate controls are in place over the configuration of thirdparty security system installations and upgrades. Determine if standard configuration images are maintained to ensure the consistency of all configuration efforts for the security system under review.
Determine if all security system configurations are appropriately authorized as well as adequately reviewed and approved by appropriate management prior to being introduced into the production environment.
Determine if adequate records are maintained to document all modifications and fixes to third-party security systems. Ensure that configuration procedures include steps to ensure compliance with all relevant corporate policies and standards. Security System Configuration - System Security Parameters Objective: To ensure that existing parameters for third-party security systems are configured to secure settings and are in compliance with best practices and relevant corporate policies and standards.
Review relevant corporate policies and standards for the security system under review. Tailor this audit program to ensure that audit procedures are designed to ensure that third-party security system configuration settings are in compliance with those policies and standards.
Evaluate existing best practices for the logical system security. Evaluate current third-party security system configuration settings to ensure that the settings are in compliance with relevant corporate policies and standards and conform to best practices. Ensure that all default passwords for predefined accounts have been changed. Ensure that ownership of all predefined accounts is documented. Ensure that all systems services are appropriately configured.
Meet with security administration personnel to obtain an understanding of the account management process. If available, review documented procedures in place to support user account management activities. Review the system account listing and determine if all IDs follow a consistent naming convention and comply with existing standards. Determine if any accounts exist which have been inactive for over 90 days and have not been disabled. Request a report that summarizes all terminations that have occurred with the last three months.
Verify that the accounts for all terminated employees have been disabled or removed from the systems. Judgmentally select a sample of accounts from the account listing requested in step E 1. Objective: To ensure that the system has been configured to facilitate the use of secure passwords to prevent unauthorized access to critical applications, data and system resources. Meet with security administration personnel to obtain an understanding of the password management controls.
User Profile Configurations Objective: To ensure that adequate controls are in place over the configuration of user profiles to ensure that user access rights are commensurate with users job responsibilities.
Meet with security administration personnel to obtain an understanding of the controls over the configuration of user profiles. Select a sample of accounts from the system account listing requested in step E 1. Group Profile Configurations Objective: To ensure that adequate controls are in place over the configuration of group profiles to ensure that access rights for users assigned to the group profiles are commensurate with users job responsibilities.
Meet with security administration personnel to obtain an understanding of the controls over the configuration of group profiles.
Select a sample of group profiles for review. Are the access rights and privileges provided to the user by the group profile commensurate with each users job responsibilities? Privileged Accounts Objective: To ensure that adequate controls are in place over the authorization, ownership, and use of sensitive super-user accounts. Meet with security administration personnel to obtain an understanding of the controls in place over privileged system level accounts.
At all other times do the administrators log on with unique accounts that have been granted fewer rights? Is the use of these accounts appropriately monitored? If so, determine how management ensures accountability over the use of these generic accounts. Special User Accounts Objective: To ensure that appropriate controls are in place over the authorization, ownership, and use of unique special user accounts.
Is access to production environment read only? Evaluate the controls in place over the establishment and use of special user accounts. Determine if the systems have been configured to lock accounts after a specified number of invalid logon attempts e. Determine if system banners are displayed on the systems during the login process to provide a warning against unauthorized access.
Ensure that Organization specific information is not included in the system banner displays. Determine if the systems have been configured to limit concurrent logins to a single account.
0コメント