Application Security Audit Program.docx
《Application Security Audit Program.docx》由会员分享,可在线阅读,更多相关《Application Security Audit Program.docx(12页珍藏版)》请在冰豆网上搜索。
![Application Security Audit Program.docx](https://file1.bdocx.com/fileroot1/2022-12/30/b45b4790-5e37-4e5d-8ebd-767ef3a2f9a9/b45b4790-5e37-4e5d-8ebd-767ef3a2f9a91.gif)
ApplicationSecurityAuditProgram
B.1.PS-LawsandAuditCriteria
ProcedureStep:
CompliancewithLaws
AuditStep:
1.Interviewresponsibleagencypersonneltodeterminetheirawarenessoftheapplicablelaws,rules,andregulationsandwhethertheyknowofanynon-compliancewiththem.Also,determinetherelatedinternalcontrolproceduresinplacetoensurecompliance.
2.Performtestsofinternalcontrolsputinplacebymanagementtoensurecompliancewiththeselaws,rulesandregulations,asneeded.
3.Makerecommendationsconcerningthenature,extentandtimingofsubstantiveteststobeperformedtodetect(ordeterminetheextentof)abuseorillegalacts.Ifnofurthertestsarenecessary,soindicate.
4.Noteanyknownabusesorillegalacts.Also,assesstheriskofotherabusesorillegalactsthatcouldoccur.(Low,moderate,orhigh).Ifconditionsareidentifiedindicatingabuseorillegalacts,thesemattersshouldbebroughttotheattentionoftheAuditDirector.
Purpose:
Toevaluatewhethertheagencyiscomplyingwithallapplicablelawsandtheriskthatfraudorabuseisoccurring.
B.1.PS-LawsandAuditCriteria
ProcedureStep:
FISCAM
AuditStep:
ObtainandreviewtheGAO"FederalInformationSystemsControlAuditManual"(FISCAM).Documentanysectionsrelevanttoourauditincludingquestionnaires.
Purpose:
Todocumentourauditcriteria.
B.1.PS-LawsandAuditCriteria
ProcedureStep:
AuditCriteria
AuditStep:
Documentotherrelevantauditcriteriasuchas:
1.StatementonAuditingStandardsnumber70
2.SANSOperatingSystemSecurityConfigurationsandNISTGuides
3.StatePreferredStandardsforInformationSecurity
4.ISO17799
Note:
Considerseparatewrite-upsand/ordevelopingasummarycompliancechecklistifnecessary.
Purpose:
Todocumentourauditcriteria.
B.2.PS-PoliciesandProcedures
ProcedureStep:
SecurityPolicy
AuditStep:
Todeterminewhethertheagencyhasdevelopedandcommunicatedacomprehensiveinformationsecuritypolicycoveringtheapplication,orequivalentdocument,asrequiredbyStatePolicy.Thisshouldinclude:
∙Acleardescriptionoftheagency'sinformationsecurityprogram,andpoliciesandproceduresthatsupportit;
∙Clearlydefinedresponsibilitiesforallinformationsecuritymatters;
∙Anindicationofspecificallywhatresourcesaredevotedtoinformationsecurity;
∙Aframeworkandcontinuingcycleofactivitiesformanagingrisk,developingsecuritypolicies,assigningresponsibilities,andmonitoringtheadequacyoftheagency'scomputer-relatedcontrols;and,
∙Adescriptionofthelinesofcommunicationforinformationsecurityrelatedtotheapplication.
Purpose:
Todeterminewhetherthereisclearlydefinedinformationsecurityprogramattheagencyovertheapplicationin-question.
B.2.PS-PoliciesandProcedures
ProcedureStep:
PoliciesandProcedures
AuditStep:
Reviewpolicyandproceduresmanualstodetermineiftheyarecurrentandarereviewedperiodically.Determineifpersonnelhaveaccesstocopiesofmanuals.ObtainanyavailableagencyspecificproceduresthattheagencyhasdevelopedtomeetStateStandardsforInformationSecuritysuchas:
1.Environmentalcontrolsoverthemainframeand/orservers;
2.whatphysicalsecurityrequirementsexistfortheapplicationandwhatrestrictionsarepresentforsystemaccess;
3.backuppoliciesandprocedures;
4.passwordpoliciesandprocedures;and,
5.howaccesstosystemdocumentation,datafiles,passwordfiles,programs,andtheStateITagencyaresafeguarded.
Purpose:
Toobtainrelevantagencypoliciesandprocedures.
B.2.PS-PoliciesandProcedures
ProcedureStep:
MonitoringProcedures
AuditStep:
Todetermineiftheagencyhasimplementedclearlydefinedmonitoringpracticesthatensureinformationsecuritypoliciesandproceduresarefollowedrelatedtotheapplication.Thisincludes"day-to-dayandinvestigativemonitoring"over"intrusiondetectionreportsanddailyusagelogs"forservers,mainframes,firewallsandrelevantnetworks.
Purpose:
Toevaluatewhetheradequatestepshavebeentakentoensureagencyinformationsecurityproceduresarefunctioningasintended.
B.2.PS-PoliciesandProcedures
ProcedureStep:
SummaryPolicyStep
AuditStep:
Baseduponpreviousauditsteps,concludewhethertheagencyhaseffectivelyimplementedinformationsecurityproceduresfortheapplicationaccordingtoStateInformationSecurityPolices.
Purpose:
Toassesstheadequacyoftheagency'ssecuritypoliciesrelatedtotheapplication.
B.3.PS-OverviewandBackground
ProcedureStep:
OverviewMeeting
AuditStep:
Meetwithappropriateagencystafftoobtainanoverviewofdatacenteroperations,specificunit(s)withtheagency,and/orprogram(s)beingaudited.ConsiderFISCAM'sAppendixI:
"BackgroundInformation"asatooltousewhenobtainingthisoverview.
Purpose:
Obtainanoverviewoftheagency/subdivisionofagency/program.
B.3.PS-OverviewandBackground
ProcedureStep:
SecurityManagers
AuditStep:
Determinewhetherspecificindividualshaveresponsibilitiesfordeveloping,communicating,andmonitoringcompliancewithsecuritypoliciesrelatedtotheapplicationandreportingtheseactivitiestoseniormanagement.Isthereacentralpointofcontacttocoordinateallinformationsecuritymattersfortheapplication?
Purpose:
Obtainanoverviewoftheagency/subdivisionofagency/program.
B.3.PS-OverviewandBackground
ProcedureStep:
SeparationofDuties
AuditStep:
Obtainanorganizationchartanddiscussjobclassificationsanddutieswithappropriateemployees.Assesswhetheradequateseparationofdutiesexistsovertheapplication(ConsiderFISCAMasaguide.Consideringcompletingthe"SeparationofDutieschecklisttohelpinassessingcontrols).
Purpose:
Toobtainanunderstandingoftheapplication’ssecurityenvironment.
B.3.PS-OverviewandBackground
ProcedureStep:
SecurityAwareness
AuditStep:
DeterminewhethertheagencyhastakenadequatestepstopromotesecurityawarenessamongindividualsresponsiblefortheapplicationaccordingtoStateISpolicies.
Purpose:
Todeterminewhethertheagencyhasimplementedaneffectivesecurityawarenessprogram.
B.4.PS-SecurityControlActivities
ProcedureStep:
RiskAssessment
AuditStep:
DeterminewhethertheagencyDepartmenthasconductedacomprehensiveriskassessmentfortheapplicationthatexaminestheprotectionmechanismsandmostlikelyvulnerabilitiesincludingidentifying:
∙allpossiblesystemvulnerabilities;
∙theprobabilitythatthesevulnerabilitieswillbeexploited;
∙thepossibleimpactfromsuchexploitation;and
∙theappropriatestepstomitigaterisks.
Purpose:
Toobtainanunderstandingofhowaccesstothesystemisdeterminedandatwhatlevelsaccesscanberestricted.
B.4.PS-SecurityControlActivities
ProcedureStep:
AuthorizingAccess
AuditStep:
1.Obtainagencypoliciesandproceduresforauthorizingaccesstoinformationresourcesanddocumentingsuchauthorizationsfortheapplication.
2.Obtainanunderstandingofhowtheagencydetermineswhataccessanemployeewillhavetotheapplicationandwhoisresponsiblefordeterminingtheaccesslevel.ObtainalistingofindividualswithAdministrationRights.
3.Determinehowtheagencymonitorsaccess,investigatesapparentsecurityviolations,andtakesappropriateremedialaction.
4.Determineifanaccesspathdiagramhasbeenestablished.Suchadiagramidentifiestheusersofthesystem,thesystemonwhichtheseresourcesreside,andthemodesofoperationandtelecommunicationspaths.
Purpose:
Toobtainanunderstandingofhowaccesstothesystemisdeterminedandatwhatlevelsaccesscanberestricted.
B.4.PS-SecurityControlActivities
ProcedureStep:
LoginandPasswords
AuditStep:
Determinewhatloginandpasswordcontrolsareinplaceforagencyemployeeswithaccesstotheapplication.
Purpose:
Toobtainanunderstandingoftheapplicationinformationsecuritycontrols.
B.4.PS-SecurityControlActivities
ProcedureStep:
ChangingUserAccessRights
AuditStep:
Determinewhoisresponsibleforchanginguseraccessforemployeeswithapplicationaccessrightswhenanemployeeleaves,isterminated,orreceivesapromotion.
Purpose:
Toobtainanunderstandingofapplicationinformationsecuritycontrols.
B.4.PS-SecurityControlActivities
ProcedureStep:
AccesstoInternet
AuditStep:
DeterminetowhatextenttheapplicationfunctionsasanopencommunicationsenvironmentrelatingtoInternetaccess.ObtainaschematicshowingtheinterconnectivityofapplicationtotheInternet(aretherefirewallpolicies,demilitarizedzones,etc...).DeterminewhethertheagencyDept.meetstheprovisionsofStateISpolicies.
Purpose:
Toobtainanunderstandingofapplicationinformationsecuritycontrols.
B.4.PS-SecurityControlActivities
ProcedureStep:
CriticalHosts
AuditStep:
Hasagencyestablishedadequatecontrolstoaccountfor(i.e.,continuousinventory)andsecureapplicationequipmentsuchasservers,printers(i.e.,shreddingofconfidentialdataoutput),modems,routers,etc...Note:
securitycoversphysical,environmental,andlogicalcontrols.
Purpose:
Toobtainanunderstandingofapplicationinformationsecuritycontrols.
B.4.PS-SecurityControlActivities
ProcedureStep:
AdministrationRights
AuditStep:
Obtainanunderstandingofagencypoliciesandproceduresrelatedtoindividualswithadministrationrightstotheapplication.Determinewhetheradequatemonitoringproceduresareinplaceovertheseindividuals.
Purpose:
Toobtainanunderstandingofapplicationinformationsecuritycontrols.
B.4.PS-SecurityControlActivit