Security Awareness (SA006-10): Security Audit

Auditing for security management is a systematic process of evaluating and examining an organisation’s core security policies, technical controls, processes, procedures, practices and operations in order to ascertain that the security protection offered to its valued assets are adequate, applicable and compliant [Cyril Onwubiko, ‘A Security Audit Framework for Security Management in the Enterprise’, Communications in Computer and Information Science, ISBN 978-3-642-04061-0, pp.9-17 [Online] http://www.springerlink.com/content/v12786838l8046h3/].

Security audits can be very useful to an organisation in many ways. For example, security audits assist an organisation as follows:
• Reveal business practice nonconformity,
• When policies, standards or procedure are not being followed (noncompliance),
• It also assists with finding out regulatory or legislative noncompliance (desk-based audits).
• Above all, audits assist an organisation find out if its employees comply to the organisation’s security policies, standards and procedures.

There are four types of internal audits recommended in the industry, namely:
• Desk-based compliance audit
• Spot check audit
• User accountability audit
• Operations audit

To assist anyone wanting to carry out an internal audit, the E-Security Group at Research Series Limited has drafted the questionnaire (sampled, not comprehensive) that could be a useful starting point, irrespective of the business the organisation is into.

Questionnaire for Audit
Policies and Procedures
• Are all personnel/staff aware of the Programme’s security policies?
• Does the Programme have its own written security policies, procedures, processes and local working instructions?
• Are these policies, procedures and processes available in an easily accessed location? Please establish media type (hardcopy, electronic, online, intranet)
• Does staff have written guidelines for protecting their workstations and storage media files?
• Does the Programme have a system administrator?
• Are there clearly defined system security procedures for the Administrator?
• Is staff instructed on basic workstation security?
• Do personnel in the Programme have sufficient authority to accomplish IT security related duties and policies?
• Are there available and competent personnel to provide cover when a System Administrator is unavailable?
• Does the Programme have a process to address incidents or compromises?

Regulatory/Legal Compliance• Does the Programme comply with the HMG Security Policy Framework (SPF)?
• Does the Programme comply with the Data Protection Act 1988 (DPA)?
• Does the Programme comply with the Privacy Act?
• Does the Programme comply with the Official Secrets Act (OSA), and do employees and direct delivery partners sign-up to OSA?
• Does the Programme comply with the Regulation of Investigatory Powers Act 2000 (RIPA)?
• Does the Programme comply with the Freedom of Information Act (FoIA)?
• Does the Programme comply with the Telecommunications
• Does the Programme comply with The Data Protection (Processing of Sensitive Personal Data) Order 2002?
• Does the Programme comply with The Human Rights Act (HRA) 1998?
• Does the Programme comply with the Lawful Business Practice Regulations 2000?
• Does the Programme comply with the Privacy and Electronic Communications Regulations (PECR)?
• Does the Programme comply with the Data Handling Review (DHR) 2008 & CESG IA Standard no. 6 – Protecting Personal Data and Managing Information Risk?
• Does the Programme comply with ISO 27001 - Information Security Management Systems (ISMS)?

Environmental
• Is the Programme data centers located in places that are safe and free from potential danger, such as close proximity to popular tourist attraction centres, near to target structures, sufficient power sources, etc?
• Do Uninterruptible Power Supplies (UPS) provide alternate source of power to the data centres?
• Is the heating, cooling and ventilation keeping systems at the appropriate temperature and humidity?

Physical Security
• Has a physical security audit been done? If yes, when was this assessment carried out?
• Does the Programme have physical security standards policies and procedures?
• Are there procedures for access control to the data centres or computer rooms?
• Does the Programme have an physical alarm/warning system?
• Are workstations and laptops locked down to deter theft?
• Are all servers and workstations cases locked to prevent access to internal components?
• Are unused laptop computers kept in locked storage areas?
• Is there an asset record log for all assets are sent or received from other office locations?
• Does the Programme have a standard and procedure for sanitizing and disposing of confidential and sensitive material on hard drives, tapes, floppy disks, CDs, etc.?
• Does the Programme have a policy and procedure for assessing authorised access to secure rooms and data centres?
• Does the Programme have a policy and procedure for user physical access request and authorization?
• Are CCTV used to monitoring all buildings, data centres and secure operations rooms?
• Are there proper building security in place, and are there security guards monitoring the environments – office building, data centres and communications rooms?

Hardware• Is there redundant hardware to allow work to continue in the event of a single hardware failure? When were they last tested?
• Is there alternate power supplier to the data centres? Does this involve the use of UPS?
• Does the UPS notify someone when it goes into operation?
• When was the UPS last tested?
• Is there a plan to have Programme hardware upgraded/replaced at regular intervals?
• Does the Programme have system maintenance standards and procedures?
• Do the System Administrator/Secure Ops Admins ensure that all sensitive data is removed from equipment before being sent out for repair or replacement?
• Is diagnostic hardware and/or software maintained onsite or offsite?

Software• Does the Programme Administrators have original disks to reinstall the software if the hard drive fails?
• Is all software vendor/supplier supported? If your software is old or unsupported, what are your plans to replace it?
• Does all software have current and valid licenses and have OEM support?
• Is locally developed software supported by an easy to reach developer?
• Does Programme have provisions to continue operation if business-critical services software becomes unavailable?

Network and Communications Security• Does the Programme have a logical network map/diagram? If yes, where is diagram stored? And who has access to the repository?
• Does the Programme have an (asset database) or inventory of devices attached to the network?
• Are the network points mapped to a switch port?
• Is there a policy as to how network services are accessed by users?
• Does the Programme have network documentation to assist problem resolution of a computer or network fault?
• Does the Programme have physical and remote access to network devices and the platform?
• Does the Programme have the ability to continue to function in the event of a wide area network failure?
• Does the Programme have a network diagram that includes IP addresses, room numbers and responsible parties?
• Are end users prevented from downloading and/or installing certain types of software? How?
• Are contents of system logs protected from unauthorized access, modification, and/or deletion?
• Is the CD-ROM Auto run feature disabled on all workstations?
• Is USB ports disabled on all workstations?
• Are there specific rooms for secure systems and operations? If yes, does the secure room have its own security policy?
• Are trusted workstations secured if used for other purposes?
• Are trusted workstations SSL or VPN enabled?
• Are trusted workstations required to have complex passwords?
• Are chat clients (ICQ, Yahoo Messenger, IM, etc.) managed? How are they managed?
• What security precautions are taken for dial-in modems?
• Is ActiveX, JavaScript, and Java disabled in web browsers and email programs for all workstations?
• Are the Administrator accounts, and any equivalent accounts, on all workstations limited to the technical support team? Is it password protected?
• Is the guest account on all workstations disabled?
• Is file sharing permitted and secured on any workstation in the Programme? If so, how is it secured?

Logical Security• Is there a Programme policy for selecting strong passwords?
• Is the Programme using software that enforces strong passwords?
• Are passwords changed regularly? If so, how often?
• Does the Programme use other forms of authentication other than usernames and passwords? If so, which ones?
• Is the Programme planning to use other forms of authentication other than passwords in the future?
• Does the Programme have an account decommissioning process?
• Does the Programme have a method for identifying unauthorised users?
• Do personnel receive regular computer security awareness training?
• Is there a document establishing the identity of those having root access to the platform?
• Is the identity of those having remote access to the platform known?
• Are there written procedures for terminating accounts when an employee leaves employment (leavers procedure)?

Host based firewall
• Do all ICT systems in the platform have a host-based firewall?
• Is the platform protected using some network-based firewalls?
• How often do the Programme review or audit firewall logs and rules?
• Is critical data stored on a server protected using a host-based firewall?
• Is the network monitor for user access to secure/critical data?
• Do you have enough technical staff to manage individual firewalls on all desktops and network firewall?
• Are settings password protected?
• How often are logs reviewed?
• Is there central monitoring of settings and logs?

Antivirus Software
• Are all workstations running the latest version of antivirus software, scanning engine and the virus signature file?
• Are users aware that email attachments should not be opened as a regular practice on PCs?
• Are employees aware of the dangers attachments can bring?
• What is the frequency for upgrade of virus definition?

Web Servers• Is the web server set to only accept traffic on port 80?
• Is the web server set to reject attempts to remotely administer it?
• Is the web server set to authenticate certain user traffic?
• Have the sample files, scripts, help and development files been removed?
• Is WebDAV installed on your Web server?

FTP• Are all FTP servers set to authenticate users?
• Is this traffic encrypted/secured?
• Are all FTP directories set to either Read or Write but not to both?

Email• Is SMTP/POP3 ports enabled and used?
• Are other email services enabled, such as webmail, exchange and OWA?
• What email clients are in use in the Programme?
• Is the E-mail server set to scan mail and attachments for viruses?
• Is the e-mail server set to reject attachments?
• Is there an email server application that detects SPAM, that SPAM filtering software?
• Is web access to e-mail secured?
• Are client connections from outside the subnet secured/encrypted?

Disaster Planning• Is there a written contingency plan to perform critical processing in the event that on-site workstations are unavailable?
• Are there plans for the platform to continue working in the event that one of the data centres was to be offline for an extended period of time?
• Are there supplier/vendor support partnerships that can help in an emergency if equipment is damaged due to disaster?
• Is the contingency plan periodically tested to verify it can be followed to resume business-critical processing?
• Are the data centres redundant, or hot-standby? If yes, has the failover being tested, and when was it last tested?

Backup and Recovery• Are backup files sent off-site to a physically secure location?
• Are files kept on-site in a secure location?
• Are critical files regularly backed up? If yes, how often?
• Are backups encrypted? If yes, what type of encryption is used?
• Are backup media stored off site?
• Is the environment of a selected off-site storage area (temperature, humidity, etc.) within the manufacturer’s recommended range for the backup media?
• Are backup files periodically restored as a test to verify they are usable?

Change Management• Are records kept of systems changes?
• Do all changes go via change control? If No, what types of change do not go via change control?
• Is there a process for communication of systems changes?
• Does the Programme have a configuration/asset control plan for all hardware and software products?
• Does the Programme have a version control plan for software products?
• Are only trained authorised individuals allowed to install computer equipment and software?
• Are maintenance records kept to indicate what repairs and/or diagnostics were performed and by whom?
• Is there always a back-out plan in the event of a failed change deployment?

Training• Does the Programme require new employees to read IT security documents?
• Does the Programme require new employees to be familiar with security policies, procedures and LWIs?
• Does staff know what’s expected from them regarding security for your Programme?
• Are there regular information security awareness training for all staff?
• What forms of security awareness program is provided?
• How often do staff go on security briefs, trainings and seminars?
• Are specific security training provided based on roles and responsibilities?
• Are their security training specific for senior management team?

3rd-party Supplier/Vendor Management• Do all 3rd-party suppliers sign in when they visit?
• Do all 3rd-party suppliers have both physical and logical access to the environment? If yes, please specify.
• Do all 3rd-party suppliers undergo supplier security audit assessment?
• Do all 3rd-party suppliers comply with the HMG Security Policy Framework?
• Do all 3rd-party suppliers have security cleared personnel?
• Do all 3rd-party suppliers have dedicated manpower in the environment? If yes, please specify.