AUDIT PROGRAM for Systems Administration & Operation
AUDIT STEPS:
Documentation
1. Check to ensure that the Policy and Procedures Manual is readily available to all staff either in Hardcopy or Softcopy( db). Obtain an access.
2. Check to ensure that there are procedures in place to ensure that the Manual is updated from time to time, or when systems or processes change.
3. During the course of the audit note any instances where the procedures differ from those laid down in the procedures. The parts of the Procedures Manual covering the activities being audited should be read at the start and at the end of each section of the audit.
Change Management
1. Determine if a change management process(es) exists and is formally documented.
2. Obtain a copy of the change management procedures and verify that they (at a minimum) include:
* Accountability for managing and coordinating changes.
* The change management flow(s) within the organization;
* The change management responsibilities of each organizational function;
* The deliverables from each organizational component;
* Specific timetables for reviewing and scheduling planned changes;
* Specific timetables for the retention of historical records;
* The handling of all changes, including change back-outs;
3. Determine the process used to identify and update user/system documentation as a result of the change(s) made.
4. Verify a methodology is used for initiation and approval of changes.
5. Ensure the request form includes (at a minimum) the following information:
* name of requester
* phone number and department
* requester's signature
* reason for change
* List of modules that need to be changed
* Supervisor's name
* Supervisor's approval (changes must be approved by someone other than the requester).
6. Determine if priorities are assigned to the change requests.
7. Ensure estimated time of completion and budgeted costs are communicated.
8. Evaluate the process used to control and monitor change requests (central repository and aging mechanism).
Problem & Incident Management
1. Review the problem reporting/resolution tracking system and determine whether:
* Problems are appropriately logged and prioritized.
* Corrective measures are implemented in a timely manner.
* Management reporting procedures are adequate.
Segregation of Duties
1. Ensure that Developers and or Programmer Have no access to the production server.
2.Ensure that the OS administrator is segregated from operator function.
3. Ensure that the OS administrator have no access to the Production data( DB).
Maintenance Contract
1. Obtain and review copies of all vendor contracts and agreements, to identify the responsibilities for preventive maintenance.
2.Determine whether preventive maintenance is performed as prescribed, e.g review the maintenance log.
3. Ensure the technical expertise of the vendor give assurances that it is capable of providing adequate maintenance support to satisfy the current and future needs of bank customers.
Operating System Administration
1. Verify that the Security Administration procedure is
available.
2. Check that a procedure for the System Management is available.
3. Check the machine area and verify that it is restricted to
authorised staff only,
4. Verify the existence of a control mechanism over vendor access.
5. Obtain and review the system generation report, the system log, and other system related activity reports. (Review changes made to the operating system and supporting system software to determine compliance with standards, including adequate internal controls.)
6. Ensure the System logs and reports record adequately system administrator activity.
7. Ensure the overall supervision by management over system activities is adequate.
* Daily monitoring activities
* New system installation
* Implementation of new releases
* Documentation of changes
* System testing
* Management or supervisory approvals.
OPERATING SYSTEM SECURITY
Depending on the OS level( Unix, WinNT, Win2000, NOVELl, Guardian, VOS).
For any OS refer to the audit program of that OS.
...........................................................
1. Obtain copy of the ACL Access Control List and verify that all users are authorised users and that every user has a password.
2. Review the groups and ensure that the System group contains no users
3. Ensure that only system administrators are defined in the Sys_admin group. all others are disabled. Ensure that all unneeded IDs are either Disabled or deleted.
4. Ensure that access to system files is restricted in order to protect them from unauthorised access or modifications.
5. Ensure that automatic data integrity checks are performed on all system downloads and uploads (FTP Activities).
6.Ensure that a lock out mechanism exist to limit password guessing chances. it is called SERVER LOCK
7. Ensure that password aging is enforced and expiration date is defined for the passwords.
8. Ensure that the security violation reports, are printed, reviewed and copy of these reports are sent for review.
9. Examine utilization reports, determine the times of peak resource demand within the processing day.
10. Determine whether capacity planning ( processor, memory, disk, etc.) are being monitored and reported
11. Determine whether performance measurement are in place.
12. Determine whether system downtime is recorded.
13. Ensure that there is No terminal are directly connected to the server.
14. Ensure that the server cabinet are locked and the Key is in a safe place.
ROOT & Super IDs Utilization
1. Identifies the risks involved in the use of high level ID's,
2. Outlines the types of such high level ids', namely, root, super user, Administration and back-up ID's, etc.
3. Ensure that Root ID's should not be used for normal operation and limits their use to certain listed scenarios. review the ROOT Log.
4. Review the controls & measures to be considered in using these ID's, and
5. Review the authorities and responsibilities of those using or requesting the use of these id's.
Operation
1. Obtain a current list of the personnel who work in the TOD facility.
2. Review the operators' duties and determine whether they are prevented from:
* Originating entries for processing.
* Correcting data exceptions, unposted, or rejected items.
* Preparing any general ledger and/or subsidiary ledger entries.
* Performing any balancing functions (reconcilements) other than run to run control.
* Running test programs against live or backup files.
* Executing programs from the test library during production runs.
* Controlling report generation and distribution.
3. Review the console log. Determine whether it is reviewed by supervisory personnel and retained for a reasonable length of time in safe storage to provide an audit trail.
4. Review the job scheduling function and assess its adequacy.
5. Determine that all applications place internal (or electronic) labels on tape and disk files, and that all applications check for a proper date on input files.
6. Determine log-on procedures.
7. Determine that each tape and/or disk files has an external label which has been completed according to pre-determined standards. Determine whether computer output is protected from
8. unauthorized access, (i.e., by placement in locked bins assigned to specific individuals or departments)
Antivirus Strategy
1. Ensure that there is an Antivirus strategy documents.
2. Ensure that the Antivirus covers Servers as well as end user.
3. review the frequency of Antivirus update.
4.Ensure that the Antivirus server is updated whenever there is virus announcement.
Backup Strategy
1. Review procedures for the creation and rotation of backup media (disks or tapes).
2. Determine whether backup procedures provide for the ability to adequately recover:
* Operating systems
* Application programs
* Master files
* Transaction files
* System utilities
* Any other programs that are necessary to restore operations at the recovery site.
3. Verify that the computer's disk storage is backed up daily.
4. Determine if backup media (disks or tapes) is rotated off-site in a timely manner.
5. Determine if the off-site storage facility is:
* Sufficiently remote from the processing facility.
* Adequately controlled for access and environment.
* Accessible within a reasonable time frame, if backups are needed.
6. Verify that controls exist to ensure that all backup files have been returned to the bank from their off-site storage locations.
7. Verify that back-up data files are checked for readability on a planned basis.
Tape Library
1. Determine whether a tape management system is in place.
2. Identify what prevents unauthorized removal, introduction, or substitution of tapes.
3. Identify what prevents the mounting and use of the wrong tape. 4. Identify what prevents the inadvertent use of an active tape as a scratch tape.
5. Verify that the tape library (used for on-site storage) is a sufficient distance from the computer room and adequately protected to ensure that if a disaster befell the computer room, the tape library would service, and vice versa.
6. Determine whether:
* The tape library is environmentally controlled.
* Tapes, including backups, are tested periodically for defects.
7. Determine if the data center can produce a report showing all tapes on hand and:
* How frequently the inventory is updated.
* Whether off-site tapes are accounted for.
* If the inventory includes:
* Volume name/number
* Location
* Names of all files on the volume
* Creation and expiration dates of the contents
Physical Security
PHYSICAL SECURITY - ACCESS
1. Is access to computer area restricted only to authorised staff, and how is this achieved?
2. Are filing areas for system documentation and security segregated so that only specific persons have access and how is this achieved?
3. Are staff instructed to challenge unidentified visitors?
4. Are there procedures in place to control and identify visitors and how is this achieved?
5. Are all exterior windows covered with expanded metal grilles, or other suitable security devices, if near street level?
6.Are authorised persons prevented from gaining access during off hours without the knowledge of the security guards or another employee and how is this achieved?
7. Is there a round the clock watchmen service and how is this achieved?
8. Is the location of the computer facility advertised?
9. Is the computer room screened so that it is not easily visible and how is this achieved?
10. Are there standby facilities to operate electrically controlled doors during power failure and how is this achieved?
PHYSICAL SECURITY - ELECTRONIC MEDIA MAGNETIC TAPES AND DISKS
1. Is the tape library located in an area not at high risk from explosion, fire, flood and other such dangers and how is this achieved?
2. Are these areas identified so that in the event of the occurrence of one of these emergencies the fire service can be notified of which areas should be treated as a priority and how is this achieved?
3. Are critical tape files stored in vaults specifically designed to offer protection from the above dangers and how is this achieved?
4. Are the tapes protected and secured while in transit to back-up sites and how is this achieved?
ENVIRONMENTAL SECURITY - FIRE
1. Is there accumulation of trash (hazardous materials) in the area?
2. Are paper and other supplies stored outside the computer area?
3. Is raised floor made of non-combustible material?
4. Are ceilings and support hardware (for hung ceilings) made of non-combustible material?
5. Are computer operators trained periodically in fire fighting techniques and assigned individual responsibilities in case of fire?
6. Are curtains, rugs, drapes. furniture etc. are made of fire retardant or non-combustible materials?
7. Is the computer and tape storage area protected from fire by:
Automatic Fire Suppressant System such as carbon dioxide?
Are the staff trained in the use fire extinguishers, gas masks and other personal safety devices and how is this achieved?
Has water based fire prevention equipment been removed from the area ?
Is a wet pipe prevention system used (releases water at a set temperature)?
If a wet pipe system is used can pre-action (may trigger an alarm and delay release of water) and how is this achieved?
8. Are portable and appropriate (non-water) fire extinguishers spread strategically around the area?
9. Are emergency power shutdown controls easily accessible at point of exit?
10. Does emergency power shutdown include the air-conditioning system and how is this achieved?
11. Are smoke detectors installed and tested?
12. Are fire drills held regularly?
13. Is regular cleaning under the raised floor being done?
14. Is there battery powered emergency lighting in the computer area?
15. Are there sufficient fire alarm pull boxes within the computer area?
16. Are the flammable materials used in computer maintenance, such as cleaning fluids kept in small quantities and in approved containers?
17. Can emergency crews gain access to the computer area without delay and how is this achieved?
ENVIRONMENTAL SECURITY - WATER
1. Are there any steam or water pipes except for sprinklers?
2. Are there adequate drainage facilities to prevent flooding from above and within?
3. Are all electrical junction boxes under the raised flooring held off the slab to prevent water damage?
4. Are the rooftops and rooftop cooling towers well protected against accumulated rain water or leaks.
AIR-CONDITIONING
1. Is there a system exclusively for the computer area?
2. Are duct linings non-combustible?
3. Are filters non-combustible?
4. Is the compressor remote from the computer room/facilities?
5. Is the cooling tower fire protected?
6. Is there back-up air-conditioning capability?
7. Are air intakes:
covered with protective screening;
located well above street level;
located so as to prevent intake of pollutants or other debris;
ELECTRICITY
1. Is the local electric power supply reliable and satisfactory?
2. Is the voltage input controlled with a surge protection device and monitored with a recording voltmeter which displays transients?
3. Is there a provision of alternate power sources.?
HOUSEKEEPING
1. Is the computer facility areas kept neat and tidy?
2. Are the equipment covers and work surface kept clean?
3. Are the floors kept clean?
4. Are the waste baskets kept outside computer facility areas or cleared regularly?
5. Are the floor carpets of anti static type?
6. Is eating inside computer room prohibited?
7. Is smoking inside computer room prohibited? Are there any ashtrays?
8. Are maintenance area kept clean and tidy?
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment