WINDOW NT Page: 1 GENERAL APPLICATION AUDIT MARCH 1999 Contributed 1/18/00 by Mahomed, Nafiza <NMahomed@nbs.co.za> RISK CONTROL PERSON TEST RESULTS OF TEST RESPONSIBLE 1. Network performance 1. The efficiency and 1. 1. 1. may deteriorate, resulting capacity is monitored at in unacceptable month end by Technical response times. Services 2. Availability, performance 1. Formal service level 1. 1. 1. and quality of services agreements are may be poor. Quality documented and agreed and effectiveness of with users. services cannot be measured. 3. Physical access to the 1. Only authorised 1. 1. 1. NT server is gained by individuals have access unauthorised personnel to the server. resulting in: a) physical damage to machines b) access to confidential data and software stored on machines allowing manipulation, alteration or disclosure of data to take place. 4. The physical protection 2. Access to off-site 1. 1. 1. of critical backups is storage areas is inadequate. Information adequately controlled could be stolen or destroyed. 5. Unauthorised entry or 3. Access control is 1. 1. 1. access after hours monitored and effective when premises are unattended. RISK CONTROL PERSON TEST RESULTS OF TEST RESPONSIBLE 1. Unauthorised users are 1. Only authorised users 1. able to access or have access to the manipulate data on ForteDev server. The servers systems administrator controls access. WINDOW NT Page: 2 GENERAL APPLICATION AUDIT MARCH 1999 Contributed 1/18/00 by Mahomed, Nafiza <NMahomed@nbs.co.za> 1. Inadequate change 1. The change control 1. 1. 1. control procedures procedure is documented and documentation for every change transpose. 2. The SD team and IT Ops support retain documentation. 2. Installation of malicious 1. Documented change 1. 1. 1. programs by control procedures exist programmers which have to be adhered to at all times. 2. Inadequate testing of 1. All software is tested on 1. 1. 1. software the development server before the application is deployed on the production server. 3. Incorrect versions of 1. 1. 1. 1. software could be placed on the production machine RISK CONTROL PERSON TEST RESULTS OF TEST RESPONSIBLE 1. Data is corrupted by 1. Ensure that al programs 1. 1. 1. WINDOW NT Page: 3 GENERAL APPLICATION AUDIT MARCH 1999 Contributed 1/18/00 by Mahomed, Nafiza <NMahomed@nbs.co.za> malfunctioning programs are tested on test-data before being used on production data. 2. Data is not backed up 1. Data backup should form 1. 1. 1. sufficiently to facilitate part of the business business continuity in the continuity procedures event of a disaster. RISK CONTROL PERSON TEST RESULTS OF TEST RESPONSIBLE 1. The Administrator 1. Rename the 1. 1. account has not been administrator account, changed from the and ensure that the "Administrator " and is account is kept secret not kept secret from non- privileged users. 1. Privileged users do not 1. All users with accounts 1. 1. 1. have a second user that are members of the account to use for "Administrators" group everyday, operational have a second account work. that is no a member of the "Administrators" group and are trained to use it when not engaged in system administrative work. 2. General user accounts 1. Accounts for operational 1. 1. 1. have administrator work should only be privileges members of the "Users" WINDOW NT Page: 4 GENERAL APPLICATION AUDIT MARCH 1999 Contributed 1/18/00 by Mahomed, Nafiza <NMahomed@nbs.co.za> group and should not have unnecessary rights granted. 3. Dormant accounts exist 1. All users that no longer 1. 1. 1. on the system. require access to the server need to be removed. 4. There are guest 1. The "Guest" account is 1. 1. accounts on the system disabled 1. Trivial passwords are 1. Accounts should not use 1. 1. 1. used for accounts trivial passwords. Passwords should at least meet the following requirements: Passwords should be at least eight alphanumeric characters in length Maximum password age Minimum password age Password character set minimum of one numeric Prohibit repeating characters Dictionary words prohibited. 2. Password life does not 1. The passwords for the 1. 1. 1. have an expiry limit and Forte Server are set up users are not notified by the IT prior to password Communications team. expiration. The users are given prior notification when the passwords are to expire. 1. The audit subsystem is 1. Enable the auditing 1. 1. 1. disabled subsystem. 2. Audit events are not 1. Enable the auditing 1. 1. 1. properly recorded in the subsystem. audit log. At minimum the following events should be audited: WINDOW NT Page: 5 GENERAL APPLICATION AUDIT MARCH 1999 Contributed 1/18/00 by Mahomed, Nafiza <NMahomed@nbs.co.za> • Login(unsuccessful and unsuccessful) and logout (successful) • Use of privileged commands (unsuccessful and successful) • Application and session initiation(unsuccessful and successful) • Use of print command(unsuccessful and successful) • Discretionary access control permission modification(unsuccessfu l and successful) • Export to media • Unauthorised access attempts to files(unsuccessful) • System startup and shutdown (unsuccessful and successful) 3. The timeout function is 1. Ensure that a screen 1. 1. 1. not enabled if input saver is enabled on the devices have been left server. idle for a period of time. WINDOW NT Page: 6 GENERAL APPLICATION AUDIT MARCH 1999 Contributed 1/18/00 by Mahomed, Nafiza <NMahomed@nbs.co.za> 2. The system does not 1. To ensure that the 1. System 1. 1. provide the capability to "Lockout after -bad logon administrator provide multiple login attempts" box should be failures, lock out the set to at least five userID and prohibits attempts. further login if the threshold is reached. 1. FTP is not enabled on 1. FTP is automatically 1. System 1. the system and not enabled. administrator securely configured. 2. The anonymous FTP is 1. System 1. not enabled on the administrator system and not securely configured.
Pages to are hidden for
"Risks & Controls Sheet"Please download to view full document