Get documents about "Risks & Controls Sheet
Document Sample
WINDOW NT Page: 1
GENERAL APPLICATION AUDIT
MARCH 1999
Contributed 1/18/00 by Mahomed, Nafiza <NMahomed@nbs.co.za>
RISK CONTROL PERSON TEST RESULTS OF TEST
RESPONSIBLE
1. Network performance 1. The efficiency and 1. 1. 1.
may deteriorate, resulting capacity is monitored at
in unacceptable month end by Technical
response times. Services
2. Availability, performance 1. Formal service level 1. 1. 1.
and quality of services agreements are
may be poor. Quality documented and agreed
and effectiveness of with users.
services cannot be
measured.
3. Physical access to the 1. Only authorised 1. 1. 1.
NT server is gained by individuals have access
unauthorised personnel to the server.
resulting in:
a) physical damage to
machines
b) access to confidential
data and software stored
on machines allowing
manipulation, alteration
or disclosure of data to
take place.
4. The physical protection 2. Access to off-site 1. 1. 1.
of critical backups is storage areas is
inadequate. Information adequately controlled
could be stolen or
destroyed.
5. Unauthorised entry or 3. Access control is 1. 1. 1.
access after hours monitored and effective
when premises are
unattended.
RISK CONTROL PERSON TEST RESULTS OF TEST
RESPONSIBLE
1. Unauthorised users are 1. Only authorised users 1.
able to access or have access to the
manipulate data on ForteDev server. The
servers systems administrator
controls access.
WINDOW NT Page: 2
GENERAL APPLICATION AUDIT
MARCH 1999
Contributed 1/18/00 by Mahomed, Nafiza <NMahomed@nbs.co.za>
1. Inadequate change 1. The change control 1. 1. 1.
control procedures procedure is
documented and
documentation for every
change transpose.
2. The SD team and IT Ops
support retain
documentation.
2. Installation of malicious 1. Documented change 1. 1. 1.
programs by control procedures exist
programmers which have to be
adhered to at all times.
2. Inadequate testing of 1. All software is tested on 1. 1. 1.
software the development server
before the application is
deployed on the
production server.
3. Incorrect versions of 1. 1. 1. 1.
software could be placed
on the production
machine
RISK CONTROL PERSON TEST RESULTS OF TEST
RESPONSIBLE
1. Data is corrupted by 1. Ensure that al programs 1. 1. 1.
WINDOW NT Page: 3
GENERAL APPLICATION AUDIT
MARCH 1999
Contributed 1/18/00 by Mahomed, Nafiza <NMahomed@nbs.co.za>
malfunctioning programs are tested on test-data
before being used on
production data.
2. Data is not backed up 1. Data backup should form 1. 1. 1.
sufficiently to facilitate part of the business
business continuity in the continuity procedures
event of a disaster.
RISK CONTROL PERSON TEST RESULTS OF TEST
RESPONSIBLE
1. The Administrator 1. Rename the 1. 1.
account has not been administrator account,
changed from the and ensure that the
"Administrator " and is account is kept secret
not kept secret from non-
privileged users.
1. Privileged users do not 1. All users with accounts 1. 1. 1.
have a second user that are members of the
account to use for "Administrators" group
everyday, operational have a second account
work. that is no a member of
the "Administrators"
group and are trained to
use it when not engaged
in system administrative
work.
2. General user accounts 1. Accounts for operational 1. 1. 1.
have administrator work should only be
privileges members of the "Users"
WINDOW NT Page: 4
GENERAL APPLICATION AUDIT
MARCH 1999
Contributed 1/18/00 by Mahomed, Nafiza <NMahomed@nbs.co.za>
group and should not
have unnecessary rights
granted.
3. Dormant accounts exist 1. All users that no longer 1. 1. 1.
on the system. require access to the
server need to be
removed.
4. There are guest 1. The "Guest" account is 1. 1.
accounts on the system disabled
1. Trivial passwords are 1. Accounts should not use 1. 1. 1.
used for accounts trivial passwords.
Passwords should at
least meet the following
requirements:
Passwords should be
at least eight
alphanumeric characters
in length
Maximum password
age
Minimum password
age
Password character
set
minimum of one
numeric
Prohibit repeating
characters
Dictionary words
prohibited.
2. Password life does not 1. The passwords for the 1. 1. 1.
have an expiry limit and Forte Server are set up
users are not notified by the IT
prior to password Communications team.
expiration. The users are given prior
notification when the
passwords are to expire.
1. The audit subsystem is 1. Enable the auditing 1. 1. 1.
disabled subsystem.
2. Audit events are not 1. Enable the auditing 1. 1. 1.
properly recorded in the subsystem.
audit log.
At minimum the following
events should be
audited:
WINDOW NT Page: 5
GENERAL APPLICATION AUDIT
MARCH 1999
Contributed 1/18/00 by Mahomed, Nafiza <NMahomed@nbs.co.za>
• Login(unsuccessful and
unsuccessful) and logout
(successful)
• Use of privileged
commands (unsuccessful
and successful)
• Application and session
initiation(unsuccessful
and successful)
• Use of print
command(unsuccessful
and successful)
• Discretionary access
control permission
modification(unsuccessfu
l and successful)
• Export to media
• Unauthorised access
attempts to
files(unsuccessful)
• System startup and
shutdown (unsuccessful
and successful)
3. The timeout function is 1. Ensure that a screen 1. 1. 1.
not enabled if input saver is enabled on the
devices have been left server.
idle for a period of time.
WINDOW NT Page: 6
GENERAL APPLICATION AUDIT
MARCH 1999
Contributed 1/18/00 by Mahomed, Nafiza <NMahomed@nbs.co.za>
2. The system does not 1. To ensure that the 1. System 1. 1.
provide the capability to "Lockout after -bad logon administrator
provide multiple login attempts" box should be
failures, lock out the set to at least five
userID and prohibits attempts.
further login if the
threshold is reached.
1. FTP is not enabled on 1. FTP is automatically 1. System 1.
the system and not enabled. administrator
securely configured.
2. The anonymous FTP is 1. System 1.
not enabled on the administrator
system and not securely
configured.
