Network Security Management Audit by opv13206

VIEWS: 20 PAGES: 15

More Info
									                             Information Systems Audit and Control
                                      Association
                                                   www.isaca.org


 Systems Audit and Control Association & Foundation
                            Virtual Private Networking
                                New Issues For Network Security



                                             Audit Guidelines
Information Systems Audit and Control Association
With more that 35,000 members in more than 100 countries, the Information Systems Audit and Control Association
(ISACA) (www.isaca.org) is a recognized worldwide leader in IT governance, control, security and assurance. Founded in
1969, ISACA sponsors international conferences, publishes the Information Systems Control Journal™, develops
international information systems auditing and control standards, and administers the globally respected Certified
Information Systems Auditor™ (CISA®) designation earned by more than 35,000 professionals since inception, and
Certified Information Security Manager (CISM™) designation, a groundbreaking credential earned by 5,000 professionals
in its first two years.


IT Governance Institute®
The IT Governance Institute (ITGI) (www.itgi.org) was established in 1998 to advance international thinking and standards
in directing and controlling an enterprise’s information technology. Effective IT governance helps ensure that IT supports
business goals, optimizes business investment in IT, and appropriately manages IT-related risks and opportunities. The IT
Governance Institute offers symposia, original research and case studies to assist enterprise leaders and boards of directors
in their IT governance responsibilities.

Purpose of Audit Programs and Internal Control Questionnaires
One of ISACA’s goals is to ensure that educational products support member and industry information needs. Responding to
member requests for useful audit programs, ISACA’s Education Board has released audit programs and internal control
questionnaires for member use through KNET. These products are developed from ITGI publications, or provided by
practitioners in the field.

Control Objectives for Information and related Technology
Control Objectives for Information and related Technology (COBIT®) has been developed as a generally applicable and
accepted standard for good information technology (IT) security and control practices that provides a reference framework
for management, users, and IS audit, control and security practitioners. The audit programs included in KNET have
referenced to key COBIT control objectives.

Disclaimer
ITGI, ISACA and the author of this document have designed the publication primarily as an educational resource for control
professionals. ISACA makes no claim that use of this product will assure a successful outcome. The publication should not
be considered inclusive of any proper procedures and tests or exclusive of other procedures and tests that are reasonably
directed to obtaining the same results. In determining the propriety of any specific procedure or test, the controls
professional should apply his/her own professional judgment to the specific control circumstances presented by the
particular systems or information technology environment. Users are cautioned not to consider these audit programs and
internal control questionnaires to be all-inclusive or applicable to all organizations. They should be used as a starting point
to build upon based on an organization’s constraints, policies, practices and operational environment.




                                                              1
   Pre-Implementation Audit Guideline
   Introduction

   This document is offered as a supplement to Virtual Private Networking—New Issues for Network
   Security.

   In using this document, users should focus on the current phase of their VPN project, while looking at
   the earlier and/or later phases for reference. Alternatively, they could focus exclusively on each phase
   and move to the next phase as their VPN project progresses. This sample audit guideline uses Control
   Objectives for Net Centric Technology (CONCT), ISACF, 1999, as a framework reference for the
   control objectives pertaining to the VPN environment.

   Most IT projects go through a number of phases which can be broadly categorized as pre-
   implementation, implementation and post-implementation for the purposes of this sample audit
   guideline. The focus of this guideline is the pre-implementation phase of the VPN.

   During the pre-implementation phase, the control professional should seek to establish whether the
   proposed VPN solution objectives have been clearly defined and that the project has been adequately
   evaluated from a number of perspectives, including business, technical and financial. In addition, the
   project should be well managed and its status should be continuously monitored.

   Audit Objectives

   Referenced CONCT Control Objectives

   Object Monitoring
   Software Release
   Cost Control

   Referenced Chapters in Virtual Private Networking—New Issues for Network
   Security

   2 – VPN Technology, Architecture, Topology
   3 – VPN Security
   4 – VPN Evaluation and Implementation
   5 – High-Level Control Objectives for VPN Technology

   Functional Objectives—some of the functional objectives at this stage may include determining:
    The adequacy of system development and implementation procedures
    The adequacy of technical and business evaluation
    Whether cost-benefit analysis has been performed, with consideration given to fixed and
      recurring costs as well as non-financial factors
    The existence of a sound overall connectivity plan based on the above
    Whether the project was properly defined, well managed, resourced and monitored
    The compliance with the organization’s IT requirements

                    Audit Step                       Completed        Test Results, Remarks,      CONCT &
                                                      By/Date                W/P Ref                VPN
                                                                                                  Publication
                                                                                                  Reference
A. Prior Audit/Examination Report follow-up
Review the prior report and verify completion of
any agreed-upon corrections.
B. Preliminary Audit Steps


                                                      2
                    Audit Step                         Completed   Test Results, Remarks,   CONCT &
                                                        By/Date           W/P Ref             VPN
                                                                                            Publication
                                                                                            Reference
Review any project plans or documents related to
VPN development.
C. Detailed Audit Steps
Evaluation:
Establish whether the current relations with                                                   VPN
customers have been considered. Determine what                                               Chapter 4
effect the VPN will have on overall relations,
whether being enabled by the VPN will create
improved relations.
Assess whether there are adequate controls over                                                VPN
remote users and sites. Some possible controls are:                                          Chapter 4
policies and procedures, monitoring, staff training
and rotation.
Establish whether there are available networking                                             CONCT
skills, knowledge, expertise and skills. This could                                           Object
be either maintained in-house or provided by a third                                        Monitoring
party. Some of the skills should include relevant                                           Management
skills and knowledge of encryption keying material                                            MD2
and monitoring the VPN, firewall and intrusion
detection systems.
Determine whether there is a high-level plan for the                                           VPN
type of connectivity being considered. Assess                                                Chapter 4
whether the plans are both realistic and feasible.
The possible connective scenarios are:
      Intranet site-to-site over the Internet
      Remote access for mobile users
      Extranet site-to-site over the Internet
Cost Considerations:
Establish whether the following one-time costs have                                            VPN
been assessed:                                                                              Chapter 4 and
      Hardware and software costs                                                          CONCT Cost
      Charges from changes necessary to the                                                  Control
          existing network or other infrastructure                                          Management
      Costs of consultants or other experts                                                    CC1
Determine whether all recurring costs have been                                                VPN
assessed:                                                                                   Chapter 4 and
      ISP costs for network and other VPN                                                  CONCT Cost
          services                                                                            Control
      The cost of monitoring the network                                                   Management
      The costs of upgrading and maintaining the                                               CC1
          hardware and software
      The costs of training new staff or training
          current staff in new developments in VPN
          technology




                                                        3
                     Audit Step                         Completed   Test Results, Remarks,    CONCT &
                                                         By/Date           W/P Ref               VPN
                                                                                              Publication
                                                                                              Reference
Establish whether the benefits and potential costs,                                              VPN
both financial and nonfinancial, have been evaluated                                         Chapter 4 and
in detail. The benefits/costs include:                                                       CONCT Cost
      Savings in communications by reducing                                                    Control
          dependence on leased lines or call-back                                            Management
          charges (also consider that these may be                                               CC1
          negated by local call charges as well as
          some ISP’s ―roving charges‖)
      Increased business opportunities through
          improved links between trading partners
          and/or customers
      Greater flexibility in adding or removing
          users/business partners and improved
          business processes
      Improved security since sensitive data do
          not have to be stored on laptops (in the
          case of mobile users), but accessed without
          moving it from the corporate LAN;
          alternatively, data can be copied to the
          laptop for amending, then updated to the
          corporate LAN and deleted from a laptop.
      Reliance on third parties for setup and
          operation of critical network resources
      Improved security as sensitive data can be
          worked on while stored on the central
          server, without the need for downloading
          by the remote user
Determine whether there is an overall budget, its
level of control and its feasibility for successful
completion of the project.
Budget:
Ensure there are figures for total implementation,
operating and maintenance costs for the project.
Ensure that there is an adequate budget to meet
hardware, software and staffing costs.
Project Management:
Ensure the processes, tools and technology for                                                 CONCT
monitoring resource usage and project progress are                                           Development
defined against expectations.                                                                Management
                                                                                                CD1
Ensure the financial, cash flow, investment, and                                               CONCT
other resources related to the project are well                                              Development
managed.                                                                                     Management
                                                                                                CD1
Ensure there is good management of human                                                       CONCT
resources and the status of the project is regularly                                         Development
monitored.                                                                                   Management
                                                                                                CD1
Preview: VPN Technology
Determine if the detailed objects and related                                                   VPN
functions for meta data objects (MDO) are properly                                            Chapter 5
defined or specified to satisfy the business                                                  CONCT
requirement.                                                                                   MD1
                                                                                               MD4




                                                         4
                    Audit Step                        Completed   Test Results, Remarks,   CONCT &
                                                       By/Date           W/P Ref              VPN
                                                                                           Publication
                                                                                           Reference
Determine if the detailed objects and related                                                 VPN
functions for management information base objects                                           Chapter 5
(MIBO) are properly defined or specified to satisfy                                         CONCT
the business requirement.                                                                     MB1
                                                                                              MB5
Determine if the detailed objects and related                                                 VPN
functions for component control base objects                                                Chapter 5
(CCBO) are properly defined or specified to satisfy                                         CONCT
the business requirement.                                                                     CD1
                                                                                              CD4
                                                                                              CO1
                                                                                              CO6
                                                                                              CC1




                                                       5
   Implementation Audit Guideline
   Introduction

   This sample audit guideline is offered as a supplement to Virtual Private Networking—New Issues for
   Network Security.

   In using this document, users should focus on the current particular phase of their VPN project, while
   looking at the earlier and/or later phases for reference. Alternatively, they could focus exclusively on
   each phase and move to the next phase as their VPN project progresses. This sample audit guideline
   uses the Control Objectives for Net Centric Technology (CONCT), ISACF, 1999, as the model
   template, as the control objectives pertain to the VPN environment.

   Most system projects go through a number of phases, which can be broadly categorized as pre-
   implementation, implementation and post-implementation for the purposes of this sample audit
   guideline. The focus of this guideline is the actual implementation of the VPN, and the surrounding
   issues of security.

   During the implementation phase, the control architecture and design have been defined in detail, and
   there are adequate policies and procedures identified and in place.

   Audit Objectives

   Referenced CONCT Control Objectives

   Network Configuration Management
   Network Security Management
   Change Management
   Development Management

   Referenced Chapters in Virtual Private Networking—New Issues for Network
   Security

   2 – VPN Technology, Architecture, Topology
   3 – VPN Security
   4 – VPN Evaluation and Implementation
   5 – High-Level Control Objectives for VPN Technology

   Functional Objectives—functional objectives to be met at this stage may include determining:
    Detailed architecture and design of the VPN is appropriate to the needs of the business
    Assets within the organization are protected, both in terms of physical and logical access, and
       appropriate level of information systems and services
    Main VPN security objectives are met, including: authorization to access networks,
       authentication of the source of the data, confidentiality of the data, integrity of information
       through accuracy, completeness and security from unauthorized changes and nonrepudiation as
       proof of integrity and origin of data
    Audit trail to capture transactions and activities
                  Audit Step                        Completed           Test Results,        CONCT &
                                                     By/Date         Remarks, W/P Ref           VPN
                                                                                             Publication
                                                                                              Reference
A. Prior Audit/Examination Report Follow-
   up
Review prior report and verify completion of
any agreed-upon corrections.

                                                      6
                  Audit Step                       Completed     Test Results,    CONCT &
                                                    By/Date    Remarks, W/P Ref     VPN
                                                                                  Publication
                                                                                  Reference
B. Preliminary Audit Steps
Obtain the detailed architecture and design
plans.
Review the current security policy, any                                              VPN
proposed changes and the proposed security                                        Chapter 2, 3
mechanisms covering authentication,
authorization, confidentiality and integrity.
Review any contractual arrangements with                                             VPN
third parties such as ISPs for service level                                      Chapter 2, 3
agreements (SLA) and duration. Generally, a
short-term contract is preferable to long-term
to avoid being tied to a particular technology.
C. Detailed Audit Steps
Security Policy:
Assess if the security protection level of                                           VPN
network messages is defined in a                                                   Chapter 3
comprehensive information security policy,                                         CONCT
which provides for the classification of data as                                   Network
well as defining the minimum level of                                              Security
protection required.                                                              Management
                                                                                     MB3
Establish the existence of administrative                                            VPN
procedures that facilitate the timely addition,                                    Chapter 3
modification and removal of user access                                            CONCT
rights.                                                                            Network
                                                                                   Security
                                                                                  Management
                                                                                     MB3
Determine if the policy dealing with remote                                          VPN
users addresses what kind of data should and                                       Chapter 3
what should not be held on users’                                                  CONCT
workstations/portables. This policy should                                         Network
also outline what can and what does not have                                       Security
to be encrypted.                                                                  Management
                                                                                     MB3
Detailed Design and Architecture:
Assess whether the architecture and design of                                        VPN
the VPN meets business needs and is in                                             Chapter 2
compliance with the organizational security                                         CONCT
policy. The particular option should also be                                      Development
documented. The main options for                                                  Management
implementing a VPN are:                                                              CD1
 Pure Provider where the VPN
    functionality is built into the ISP’s
    architecture
 Hybrid Provider, where the customer and
    ISP share the VPN’s functionality
 End-to-End, where there is a minimal ISP
    role




                                                    7
                  Audit Step                       Completed     Test Results,    CONCT &
                                                    By/Date    Remarks, W/P Ref      VPN
                                                                                  Publication
                                                                                   Reference
Assess the appropriateness of the chosen                                             VPN
option, with consideration given to the ISP’s                                      Chapter 4
and in-house capability, capacity, security                                         CONCT
requirements and cost. Consideration should                                       Development
also be given to the ISP’s reputation and track                                   Management
record: who are its other customers (so they                                         CD1
may be contacted) and their previous projects
(both successful and otherwise).
Security:
Determine the appropriateness of the                                                 VPN
enterprise’s VPN solution. This includes                                           Chapter 3
asking if management has adequately                                                 CONCT
considered the need for maintenance, from                                         Development
both ends of the virtual pipe. Are there enough                                   Management
security measures built in, and is there                                             CD1
adequate assurance these measures will be
performed?
Establish the protocol used by the VPN, and                                        CONCT
assess if:                                                                         Network
 IPSec, the sender and the receiver                                               Security
    obtained a shared key and established a                                       Management
    security association                                                            MB3
 PPTP, where tunnelling is done through
    the Point-to-Point Protocol (PPP) to send
    packets over the Internet is in use. This is
    currently available in Windows
    2000/NT/98/95.
 L2TP where IPSec is used for encryption
    and tunnels are initiated outside the ISP
    network and terminated at the customer’s
    premises
The use of the protocol should be assessed for
appropriateness to the organization in terms
of:
 Manageability
 Efficiency
 Security
 Usability
 Expertise available to set up and manage
    the VPN utilizing the protocol that has
    been chosen
Configuration/Topology:




                                                    8
                  Audit Step                        Completed     Test Results,     CONCT &
                                                     By/Date    Remarks, W/P Ref      VPN
                                                                                    Publication
                                                                                    Reference
Assess whether the VPN is:                                                           CONCT
 Software-based, where a firewall and/or                                            Network
     router could be used with two components                                      Configuration
     —a client and a server;                                                       Management
 Hardware-based with components used as                                              MB1
     terminal terminators by ISPs, between
     sites and for remoteness; dedicated VPN
     equipment can be used to provide
     integrated filtering and encryption, high-
     capacity edge devices or remote access
     concentrators
Establish what type of tunneling was                                                 CONCT
implemented, voluntary or compulsory, within                                         Network
the enterprise, and if it meets the needs of the                                   Configuration
users. The setup should be assessed in terms                                       Management
of:                                                                                   MB1
 Security, i.e., IPSec
 Flexibility
 Upgradeability
 Efficiency
 Cost
Ensure that the information to be assessed                                           CONCT
utilizing the VPN topology and architecture is                                       Network
consistent with the enterprise’s data                                              Configuration
classification rules/policy.                                                       Management
                                                                                      MB1
Determine if the method of encryption and                                            CONCT
encapsulation chosen for the enterprise’s                                            Network
firewalls is consistent with the method chosen                                     Configuration
for laptops accessing the VPN remotely.                                            Management
                                                                                      MB1
Assess whether there are backup arrangements                                         CONCT
in case of disaster or when the main system                                          Change
has to be taken down during upgrades, both in                                      Management
terms of hardware and software.                                                        CD3
Determine if appropriate users sign off to                                           CONCT
approve the system nonavailability when                                              Change
interruption occurs, for system updates.                                           Management
                                                                                       CD3
Security Management:
Establish whether the particular encryption                                         CONCT
technology in use is allowed in all the                                             Network
countries through which the data will be                                            Security
transferred. Determine if there is a firewall set                                  Management
up on the remote users’ PC. Determine the                                            MB3
type of protocol suite used for the enterprise’s
VPN.
Ensure that there are set processes and
procedures for adequately accounting for the
issuance, monitoring, suspending and
revocation of digital certificates, allowing
proper authorization and encryption.
                                                     9
                  Audit Step                        Completed     Test Results,    CONCT &
                                                     By/Date    Remarks, W/P Ref      VPN
                                                                                   Publication
                                                                                    Reference
Assess the mechanism to exchange and                                                 CONCT
manage encryption keys.                                                              Network
                                                                                     Security
                                                                                   Management
                                                                                      MB3
Establish where encryption will start and end:                                       CONCT
at a firewall is preferable to at the user                                           Network
workstation, as it allows checking of data not                                       Security
possible with encrypted data.                                                      Management
                                                                                      MB3
Discover the point at which data are                                                 CONCT
unencrypted; there should be adequate access                                         Network
controls to allow confidentiality and integrity                                      Security
to be maintained.                                                                  Management
                                                                                      MB3
Authentication:
Determine if authentication is used to                                              CONCT
guarantee the source of the data. This will                                         Network
vary depending on the protocol being used:                                          Security
 With IPSec, this is provided by the                                              Management
     authentication header (AH) and the                                              MB3
     encapsulating security payload (ESP). The
     AH provides data integrity, data origin
     authentication and limited anti-replay
     services to IP; ESP is a protocol header
     inserted into an IP datagram to provide
     confidentiality, data origin authentication,
     anti-replay and data integrity services to
     IP.
 PPTP uses PPP authentication
     mechanisms; i.e., the password
     authentication protocol (PPP) and
     challenge handshake protocol (CHAP)
     and uses PPP to encrypt the link.
 L2TP use the L2TP access concentrator
     (LAC) to provide first-level
     authentication.
Change Control:
Identify hardware change components,                                                CONCT
schedule tests, and shut down for                                                   Change
implementation review (using backup system                                         Management
temporarily).                                                                         CD3
Testing:
Ensure there is a plan in place to test all parts                                   CONCT
of the VPN: The plan should:                                                        Change
 Include a range of different users.                                              Management
 Cover capacity, bandwidth, times of the                                             CD3
     day, access controls and encryption.
Review: VPN technology




                                                     10
                 Audit Step                     Completed     Test Results,    CONCT &
                                                 By/Date    Remarks, W/P Ref      VPN
                                                                               Publication
                                                                               Reference
Determine if the detailed objects and related                                     VPN
functions for meta data objects (MDO) are                                       Chapter 5
properly implemented to satisfy the business                                    CONCT
requirement.                                                                      MD1
                                                                                  MD4
Determine if the detailed objects and related                                     VPN
functions for management information base                                       Chapter 5
objects (MIBO) are properly implemented to                                      CONCT
satisfy the business requirement.                                                 MB1
                                                                                  MB5
Determine if the detailed objects and related                                     VPN
functions for component control base objects                                    Chapter 5
(CCBO) are properly implemented to satisfy                                      CONCT
the business requirement.                                                         CD1
                                                                                  CD4
                                                                                  CO1
                                                                                  CO6
                                                                                  CC1




                                                 11
Post-Implementation Audit Guideline
Introduction

This document is offered as a supplement to Virtual Private Networking—New Issues for Network
Security.

Most IT projects go through a number of phases which can be broadly categorized as pre-
implementation, implementation and post-implementation for the purpose of this sample audit
guideline. The focus of this guideline is the post-implementation phase of the VPN.

In using this document, users should focus on the current phase of their VPN project, while looking at
the earlier and/or later phases for reference. Alternatively, they could focus exclusively on each phase
and move to the next phase as their VPN project progresses. This sample audit guideline uses the
Control Objectives for Net Centric Technology (CONCT), ISACF, 1999, as a framework reference
pertaining to the VPN environment.

During the post-implementation phase, the control professional must first ensure that the VPN meets
the original objectives of the enterprise, that there are procedures and processes in place to ensure the
VPN’s compliance with the enterprise information security policy, that changes are managed in a
secure and efficient manner, and that problems are adequately reported, recorded and handled.

Audit Objectives

The audit objectives for each entity differ slightly, but overall the end result of performing a post-
implementation review is to provide senior management with some assurance that the project of VPN
installation has proceeded adequately and in compliance with enterprise needs and expectations.

Referenced CONCT Control Objectives

Development Management
Network Security Management
Help Desk Management
Change Management
User Usage Management
Cost Control Management

Referenced Chapters in Virtual Private Networking—New Issues for Network
Security

2 – VPN Technology, Architecture, Topology
3 – VPN Security
4 – VPN Evaluation and Implementation
5 – High-Level Control Objectives for VPN Technology

Functional Objectives

Some of the functional objectives at this stage include:
 Establishing whether the introduction of the VPN met the business objectives identified at project
   initiation (extended enterprise robustness, efficiency, flexibility, scalability and cost-saving)
 Determining whether usage of the VPN is in accordance with the organization’s information
   security policy
 Ensuring changes to VPN-related components are made in a secure and efficient manner
 Establishing that problems with the system, whether technical, security or user-related, are
   reported, recorded and corrected in a timely manner

                                                   12
                  Audit Step                      Completed     Test Results,    CONCT &
                                                   By/Date    Remarks, W/P Ref     VPN
                                                                                 Document
                                                                                 Reference
A. Prior Audit/Examination Report Follow-
     up
Examine any prior reports that may be related
to the previous phases (pre-implementation
and implementation). Ensure any agreed-upon
corrections have been followed up or
addressed in a timely manner.
B. Preliminary Audit Steps
Review any management reports and
documents covering previous stages and any
plans for future developments.
Review any documents covering changes and
identify any problems that were encountered.
Examine performance and any management
reports to establish whether the business,
financial and IT objectives of the VPN have
been met.
C. Detailed Audit Steps
Business Objectives:
Assess progress of the VPN implementation                                          CONCT
project using project management techniques.                                     Development
Obtain user feedback for the post-                                               Management
implementation. Evaluate current delivery                                           CD1
against expected deliverables regarding
network access, timelines, availability and
confidentiality. When using the VPN as
compared to what the enterprise had been
using, review and document expenditures
(costs) associated with each of the components
input to the operational budget to ensure
integrity, accuracy, completeness and
reliability. These should be assessed against
the initial planned cost savings. (It should be
noted that most of the savings of implementing
a VPN will come from two areas—the first
from a reduction in staffing through
outsourcing functions needed while
maintaining dedicated networks, and the
second from network usage and long-distance
savings. Both of these may not have been fully
realized when the implementation review is
conducted.)

Identify the chosen VPN topology by the
enterprise and determine if it is meeting the
needs described by management in the
implementation phase, i.e., Pure Provider,
Hybrid Or End-to-end.
Security Management:



                                                  13
                  Audit Step                      Completed     Test Results,     CONCT &
                                                   By/Date    Remarks, W/P Ref      VPN
                                                                                  Document
                                                                                  Reference
Determine if the firewalls and routers have                                        CONCT
been installed in the proper location based on                                     Network
the specific topology chosen by the entity.                                      Configuration
                                                                                 Management
Determine if there are any interoperable or                                         MB1
compatibility problems with business partners
or suppliers of VPN routers, if a router-based
VPN solution was chosen.
Review to determine if processes and                                               CONCT
procedures for the monitoring of message                                           Network
movements exist to protect against                                               Configuration
unauthorized movements, access and                                               Management
modifications. There also should be procedures                                      MB1
for reporting and follow up of any violations.
Ensure that all certificates were validated and                                    CONCT
that they are trusted by some user specific                                        Network
information.                                                                     Configuration
                                                                                 Management
                                                                                    MB1
Change Control:
Determine if proper processes and procedures                                      CONCT
are in place to control changes to networks,                                      Change
hardware, operating system and database                                          Management
objects including changes made by the ISP.                                          CD3
Assess if hardware change components have                                         CONCT
been made, schedule tests and shut down for                                       Change
post-implementation review (use backup                                           Management
system temporarily).                                                                CD3
Establish roll-back procedures to the previous                                    CONCT
release in the event the change is not                                            Change
successful. Ensure that all costs have been                                      Management
documented, and automate the control of                                             CD3
source and objects while making operating
system changes.
Problem (Usage) Management
Determine if the following are in place:                                            VPN
 Virus protection software                                                       Chapter 3
 Firewalls for portables                                                         CONCT
 Download and replication procedures                                            User Usage
 Monitoring of resource availability to                                         Management
     support user usage                                                             CO6
 Appropriate hardware and software to
     support processing efficiency, speed and
     cost control
Ensure there is an adequate help desk in place                                     CONCT
extending not only to the traditional end users                                   Help Desk
within the organization but also to the                                          Management
customers or suppliers who may be using an                                          CO2
extended intranet (extranet) application.
Review: VPN Technology



                                                  14
                  Audit Step                    Completed     Test Results,    CONCT &
                                                 By/Date    Remarks, W/P Ref      VPN
                                                                               Document
                                                                               Reference
Determine if the detailed objects and related                                     VPN
functions for meta data objects (MDO) are                                       Chapter 5
properly implemented to satisfy the business                                    CONCT
requirement.                                                                      MD1
                                                                                  MD4
Determine if the detailed objects and related                                     VPN
functions for management information base                                       Chapter 5
objects (MIBO) are properly implemented to                                      CONCT
satisfy the business requirement.                                                 MB1
                                                                                  MB5
Determine if the detailed objects and related                                     VPN
functions for component control base objects                                    Chapter 5
(CCBO) are properly implemented to satisfy                                      CONCT
the business requirement.                                                         CD1
                                                                                  CD4
                                                                                  CO1
                                                                                  CO6
                                                                                  CC1




                                                15

								
To top