Your Federal Quarterly Tax Payments are due April 15th Get Help Now >>

Network Penetration by Osf3YB8

VIEWS: 0 PAGES: 32

									This is the AuditNet Standard Risk Control Audit Matix which incorporates formats
used by many audit organizations in their documentation working papers. There are
format templates for risk control, audit procedures, questionnaires and checklists.
There is a blank workpaper and a report summary that can in used by audit
organizations. AuditNet has prepared a monograph for guidance on preparing and
developing audit work programs, checklists, questionnaires and matrices. The
monograph is available to AuditNet subscribers. For more information go to
www.auditnet.org
Library Name
Objectives                                                                                               Risks
Objective Type   Objective Category   Objective Title   Objective Description   Objective Library Type   Risk Ref
Optional         Optional             Unique            Mandatory               Optional                 Unique
Risks                                          Controls                                                               Areas
        Risk Description   Risk Library Type   Control Ref   Control Description   Control Library Type   Area ref    Area desc
        Mandatory          Optional            Unique        Mandatory             Optional               Mandatory   Mandatory
Test
Test Ref    Test Title   Test Description   Test Type
Mandatory   Mandatory    Mandatory          Optional
Library Name
                  Areas                                 Test                            Risks      Controls
Area ref       Area desc      Test Ref    Test Title   Test Description   Test Type   Risk Ref   Control Ref
Mandatory      Mandatory   Mandatory     Mandatory     Mandatory          Optional    Optional   Optional
AREA:



   Process   Control Objective   Risk
                         Assertion                            Documentation W/P
Control Considerations   E,A,C,V,P   Description of control         Ref.
                               Testing
Do controls meet
                             exceptions
   objective?
                    Test       noted?     Resolution / remediation/ comments
    Yes/No
                   W/P Ref     Yes/No                    W/P Ref
Audit Program Area: Network Penetration

                                           CONTROL OBJECTIVE

            Internet - The purpose of Internet testing is to compromise the target network. The
            methodology needed to perform this test allows for a systematic checking for
            known vulnerabilities and pursuit of potential security risks. The methodology
        1   ordinarily employed includes the processes of:
       a.   Information gathering
       b.   Network enumeration
       c.   Vulnerability analysis
       d.   Exploitation
       e.   Results analysis and reporting
            Internal Penetrations testing and Vulnerability assessment - The goal of internal
            penetration testing is to ascertain vulnerabilities inside the network perimeter. The
            overall objective is to identify potential vulnerabilities within the internal network and
            weaknesses in controls in place to prevent and/or detect their exploitation by a
            hacker/malicious employee/contractor who may obtain unauthorized access to
            information resources or cause system disruption or a system outage.
        2
          Ascertain the internal network topology or footprint that provides a map of the
          critical access paths/points and devices including their Internet protocol (IP)
       a. address ranges
          Once critical points/devices are identified within the network, the next step is to
          attack those devices given the various types of known vulnerabilities within the
       b. system and operating software running on the devices
        3 Wireless LAN – check for below
          §               Reliance on WEP for encryption
          §               Wireless networks not being segregated from other networks
          §               Descriptive SSID or AP names being used
          §               Hard-coded MAC addresses
          §               Weak or nonexistent key management
          §               Beacon packets that have not been disabled or are “enabled”
          §               Distributed APs
          §               Default passwords/IP addresses
          §               WEP weak key avoidance
          §               DHCP being used on WLANs
          §               Unprotected Rogue Access Points
                            Auditor
AUDIT PROCEDURES   WP Ref   Initials
Time      Date     Date           Checked
Spent   Expected Finished Remarks   By:
Audit Program


Audit Procedure   Control Objective
                                                Performed     Date
Risk if Objective Not Met   Control Technique       By      Expected
  Date      Budget   Actual   Document
Completed   Hours    Hours    Reference   Source   Reviewed By
Remarks/Comments
       Audit Program Area

Global Audit Procedure      Control Objective Risks Control     Control      KeyControl? Frequency
Ref No,                                             Activity   Description
                                                    Number
Owner Exceptions Type   Document    Mapping to
                        Reference   Standards
AREA:



   Process   Control Objective   Risk
                         Assertion                            Documentation W/P
Control Considerations   E,A,C,V,P   Description of control         Ref.
                               Testing
Do controls meet
                             exceptions
   objective?
                    Test       noted?     Resolution / remediation/ comments
    Yes/No
                   W/P Ref     Yes/No                    W/P Ref
                              Client Name
                      Internal Control Framework

          Date Completed:
          Completed By:
          Reviewed By:

          Question                                                  Yes No* Comments /Description




              To the best of my knowledge, the answers and comments noted above are accu



          Name and Title of Person Completing Form (please print)                            Name and Title of Department Dire


* For a “No” answer, cross-reference to either a compensating control or to audit work which has been performed
or is to be performed.                            Questionnaire
                   Signature of Person Completing Form                                                Signature of Department


                            10/1/2012
                          Date Form Completed                                                     Date of Department Directo




* For a “No” answer, cross-reference to either a compensating control or to audit work which has been performed
or is to be performed.                            Questionnaire
                           Employee Responsible for Task




s noted above are accurate and reflect the current



Name and Title of Department Director (please print)


            * For a “No” answer, cross-reference to either a compensating control or to audit work which has been performed
            or is to be performed.                            Questionnaire
   Signature of Department Director



Date of Department Director's Signature




      * For a “No” answer, cross-reference to either a compensating control or to audit work which has been performed
      or is to be performed.                            Questionnaire
Finding Ref #   Control Testing   Finding
Management Response & Treatment

								
To top