Risks & Controls Sheet by z8OBCl

VIEWS: 0 PAGES: 6

									WINDOW NT                                                                                                    Page: 1
GENERAL APPLICATION AUDIT
MARCH 1999
Contributed 1/18/00 by Mahomed, Nafiza <NMahomed@nbs.co.za>

             RISK                          CONTROL                       PERSON           TEST        RESULTS OF TEST
                                                                       RESPONSIBLE
1.   Network performance          1.   The efficiency and         1.                 1.          1.
     may deteriorate, resulting        capacity is monitored at
     in unacceptable                   month end by Technical
     response times.                   Services
2.   Availability, performance    1.   Formal service level       1.                 1.          1.
     and quality of services           agreements are
     may be poor. Quality              documented and agreed
     and effectiveness of              with users.
     services cannot be
     measured.
3.   Physical access to the       1.   Only authorised            1.                 1.          1.
     NT server is gained by            individuals have access
     unauthorised personnel            to the server.
     resulting in:
     a) physical damage to
     machines
     b) access to confidential
     data and software stored
     on machines allowing
     manipulation, alteration
     or disclosure of data to
     take place.
4.   The physical protection      2.   Access to off-site         1.                 1.          1.
     of critical backups is            storage areas is
     inadequate. Information           adequately controlled
     could be stolen or
     destroyed.
5.   Unauthorised entry or        3.   Access control is          1.                 1.          1.
     access after hours                monitored and effective
                                       when premises are
                                       unattended.




             RISK                          CONTROL                       PERSON           TEST        RESULTS OF TEST
                                                                       RESPONSIBLE
1.   Unauthorised users are       1.   Only authorised users      1.
     able to access or                 have access to the
     manipulate data on                ForteDev server. The
     servers                           systems administrator
                                       controls access.
WINDOW NT                                                                                                    Page: 2
GENERAL APPLICATION AUDIT
MARCH 1999
Contributed 1/18/00 by Mahomed, Nafiza <NMahomed@nbs.co.za>

1.   Inadequate change           1.   The change control          1.                 1.          1.
     control procedures               procedure is
                                      documented and
                                      documentation for every
                                      change transpose.
                                 2.   The SD team and IT Ops
                                      support retain
                                      documentation.
2.   Installation of malicious   1.   Documented change           1.                 1.          1.
     programs by                      control procedures exist
     programmers                      which have to be
                                      adhered to at all times.




2.   Inadequate testing of       1.   All software is tested on   1.                 1.          1.
     software                         the development server
                                      before the application is
                                      deployed on the
                                      production server.
3.   Incorrect versions of       1.                               1.                 1.          1.
     software could be placed
     on the production
     machine




             RISK                          CONTROL                       PERSON           TEST        RESULTS OF TEST
                                                                       RESPONSIBLE
1.   Data is corrupted by        1.   Ensure that al programs     1.                 1.          1.
WINDOW NT                                                                                                       Page: 3
GENERAL APPLICATION AUDIT
MARCH 1999
Contributed 1/18/00 by Mahomed, Nafiza <NMahomed@nbs.co.za>

     malfunctioning programs           are tested on test-data
                                       before being used on
                                       production data.
2.   Data is not backed up        1.   Data backup should form    1.                 1.           1.
     sufficiently to facilitate        part of the business
     business continuity in the        continuity procedures
     event of a disaster.




             RISK                          CONTROL                       PERSON            TEST             RESULTS OF TEST
                                                                       RESPONSIBLE
1.   The Administrator            1.   Rename the                 1.                                   1.
     account has not been              administrator account,
     changed from the                  and ensure that the
     "Administrator " and is           account is kept secret
     not kept secret from non-
     privileged users.
1.   Privileged users do not      1.   All users with accounts    1.                  1.               1.
     have a second user                that are members of the
     account to use for                "Administrators" group
     everyday, operational             have a second account
     work.                             that is no a member of
                                       the "Administrators"
                                       group and are trained to
                                       use it when not engaged
                                       in system administrative
                                       work.
2.   General user accounts        1.   Accounts for operational   1.                  1.               1.
     have administrator                work should only be
     privileges                        members of the "Users"
WINDOW NT                                                                       Page: 4
GENERAL APPLICATION AUDIT
MARCH 1999
Contributed 1/18/00 by Mahomed, Nafiza <NMahomed@nbs.co.za>

                                     group and should not
                                     have unnecessary rights
                                     granted.
3.   Dormant accounts exist     1.   All users that no longer    1.   1.   1.
     on the system.                  require access to the
                                     server need to be
                                     removed.
4.   There are guest            1.   The "Guest" account is      1.        1.
     accounts on the system          disabled
1.   Trivial passwords are      1.   Accounts should not use     1.   1.   1.
     used for accounts               trivial passwords.
                                     Passwords should at
                                     least meet the following
                                     requirements:
                                      Passwords should be
                                     at least eight
                                     alphanumeric characters
                                     in length
                                      Maximum password
                                     age
                                      Minimum password
                                     age
                                      Password character
                                     set
                                      minimum of one
                                     numeric
                                      Prohibit repeating
                                     characters
                                      Dictionary words
                                     prohibited.
2.   Password life does not     1.   The passwords for the       1.   1.   1.
     have an expiry limit and        Forte Server are set up
     users are not notified          by the IT
     prior to password               Communications team.
     expiration.                     The users are given prior
                                     notification when the
                                     passwords are to expire.
1.   The audit subsystem is     1.   Enable the auditing         1.   1.   1.
     disabled                        subsystem.
2.   Audit events are not       1.   Enable the auditing         1.   1.   1.
     properly recorded in the        subsystem.
     audit log.
     At minimum the following
     events should be
     audited:
WINDOW NT                                                                       Page: 5
GENERAL APPLICATION AUDIT
MARCH 1999
Contributed 1/18/00 by Mahomed, Nafiza <NMahomed@nbs.co.za>

     • Login(unsuccessful and
     unsuccessful) and logout
     (successful)
     • Use of privileged
     commands (unsuccessful
     and successful)
     • Application and session
     initiation(unsuccessful
     and successful)
     • Use of print
     command(unsuccessful
     and successful)
     • Discretionary access
     control permission
     modification(unsuccessfu
     l and successful)
     • Export to media
     • Unauthorised access
     attempts to
     files(unsuccessful)
     • System startup and
     shutdown (unsuccessful
     and successful)
3.   The timeout function is      1.   Ensure that a screen      1.   1.   1.
     not enabled if input              saver is enabled on the
     devices have been left            server.
     idle for a period of time.
WINDOW NT                                                                                        Page: 6
GENERAL APPLICATION AUDIT
MARCH 1999
Contributed 1/18/00 by Mahomed, Nafiza <NMahomed@nbs.co.za>

2.   The system does not         1.   To ensure that the          1.   System          1.   1.
     provide the capability to        "Lockout after -bad logon        administrator
     provide multiple login           attempts" box should be
     failures, lock out the           set to at least five
     userID and prohibits             attempts.
     further login if the
     threshold is reached.




1.   FTP is not enabled on       1.   FTP is automatically        1.   System          1.
     the system and not               enabled.                         administrator
     securely configured.
2.   The anonymous FTP is                                         1.   System          1.
     not enabled on the                                                administrator
     system and not securely
     configured.

								
To top