Application Security Audit Program.docx

1、Application Security Audit ProgramB.1.PS - Laws and Audit CriteriaProcedure Step: Compliance with Laws Audit Step:1. Interview responsible agency personnel to determine their awareness of the applicable laws, rules, and regulations and whether they know of any non-compliance with them. Also, determi

2、ne the related internal control procedures in place to ensure compliance.2. Perform tests of internal controls put in place by management to ensure compliance with these laws, rules and regulations, as needed.3. Make recommendations concerning the nature, extent and timing of substantive tests to be

3、 performed to detect (or determine the extent of) abuse or illegal acts. If no further tests are necessary, so indicate.4. Note any known abuses or illegal acts. Also, assess the risk of other abuses or illegal acts that could occur. (Low, moderate, or high). If conditions are identified indicating

4、abuse or illegal acts, these matters should be brought to the attention of the Audit Director.Purpose:To evaluate whether the agency is complying with all applicable laws and the risk that fraud or abuse is occurring. B.1.PS - Laws and Audit CriteriaProcedure Step: FISCAM Audit Step:Obtain and revie

5、w the GAO Federal Information Systems Control Audit Manual (FISCAM). Document any sections relevant to our audit including questionnaires. Purpose:To document our audit criteria. B.1.PS - Laws and Audit CriteriaProcedure Step: Audit Criteria Audit Step:Document other relevant audit criteria such as:

6、1. Statement on Auditing Standards number 702. SANS Operating System Security Configurations and NIST Guides3. State Preferred Standards for Information Security4. ISO 17799Note: Consider separate write-ups and/or developing a summary compliance checklist if necessary.Purpose:To document our audit c

7、riteria. B.2.PS - Policies and ProceduresProcedure Step: Security Policy Audit Step:To determine whether the agency has developed and communicated a comprehensive information security policy covering the application, or equivalent document, as required by State Policy. This should include: A clear d

8、escription of the agencys information security program, and policies and procedures that support it; Clearly defined responsibilities for all information security matters; An indication of specifically what resources are devoted to information security; A framework and continuing cycle of activities

9、 for managing risk, developing security policies, assigning responsibilities, and monitoring the adequacy of the agencys computer-related controls; and, A description of the lines of communication for information security related to the application.Purpose:To determine whether there is clearly defin

10、ed information security program at the agency over the application in-question. B.2.PS - Policies and ProceduresProcedure Step: Policies and Procedures Audit Step:Review policy and procedures manuals to determine if they are current and are reviewed periodically. Determine if personnel have access t

11、o copies of manuals. Obtain any available agency specific procedures that the agency has developed to meet State Standards for Information Security such as:1. Environmental controls over the mainframe and/or servers;2. what physical security requirements exist for the application and what restrictio

12、ns are present for system access;3. backup policies and procedures;4. password policies and procedures; and,5. how access to system documentation, data files, password files, programs, and the State IT agency are safeguarded. Purpose:To obtain relevant agency policies and procedures. B.2.PS - Polici

13、es and ProceduresProcedure Step: Monitoring Procedures Audit Step:To determine if the agency has implemented clearly defined monitoring practices that ensure information security policies and procedures are followed related to the application. This includes day-to-day and investigative monitoring ov

14、er intrusion detection reports and daily usage logs for servers, mainframes, firewalls and relevant networks.Purpose:To evaluate whether adequate steps have been taken to ensure agency information security procedures are functioning as intended. B.2.PS - Policies and ProceduresProcedure Step: Summar

15、y Policy Step Audit Step:Based upon previous audit steps, conclude whether the agency has effectively implemented information security procedures for the application according to State Information Security Polices.Purpose:To assess the adequacy of the agencys security policies related to the applica

16、tion. B.3.PS - Overview and BackgroundProcedure Step: Overview Meeting Audit Step:Meet with appropriate agency staff to obtain an overview of data center operations, specific unit(s) with the agency, and/or program(s) being audited. Consider FISCAMs Appendix I: Background Information as a tool to us

17、e when obtaining this overview. Purpose:Obtain an overview of the agency/subdivision of agency/program. B.3.PS - Overview and BackgroundProcedure Step: Security Managers Audit Step:Determine whether specific individuals have responsibilities for developing, communicating, and monitoring compliance w

18、ith security policies related to the application and reporting these activities to senior management. Is there a central point of contact to coordinate all information security matters for the application?Purpose:Obtain an overview of the agency/subdivision of agency/program. B.3.PS - Overview and B

19、ackgroundProcedure Step: Separation of Duties Audit Step:Obtain an organization chart and discuss job classifications and duties with appropriate employees. Assess whether adequate separation of duties exists over the application (Consider FISCAM as a guide. Considering completing the Separation of

20、Duties checklist to help in assessing controls). Purpose:To obtain an understanding of the applications security environment. B.3.PS - Overview and BackgroundProcedure Step: Security Awareness Audit Step:Determine whether the agency has taken adequate steps to promote security awareness among indivi

21、duals responsible for the application according to State IS policies.Purpose:To determine whether the agency has implemented an effective security awareness program. B.4.PS - Security Control ActivitiesProcedure Step: Risk Assessment Audit Step:Determine whether the agency Department has conducted a

22、 comprehensive risk assessment for the application that examines the protection mechanisms and most likely vulnerabilities including identifying: all possible system vulnerabilities; the probability that these vulnerabilities will be exploited; the possible impact from such exploitation; and the app

23、ropriate steps to mitigate risks.Purpose:To obtain an understanding of how access to the system is determined and at what levels access can be restricted. B.4.PS - Security Control ActivitiesProcedure Step: Authorizing Access Audit Step:1. Obtain agency policies and procedures for authorizing access

24、 to information resources and documenting such authorizations for the application. 2. Obtain an understanding of how the agency determines what access an employee will have to the application and who is responsible for determining the access level. Obtain a listing of individuals with Administration

25、 Rights.3. Determine how the agency monitors access, investigates apparent security violations, and takes appropriate remedial action.4. Determine if an access path diagram has been established. Such a diagram identifies the users of the system, the system on which these resources reside, and the mo

26、des of operation and telecommunications paths.Purpose:To obtain an understanding of how access to the system is determined and at what levels access can be restricted. B.4.PS - Security Control ActivitiesProcedure Step: Log in and Passwords Audit Step:Determine what log in and password controls are

27、in place for agency employees with access to the application.Purpose:To obtain an understanding of the application information security controls. B.4.PS - Security Control ActivitiesProcedure Step: Changing User Access Rights Audit Step:Determine who is responsible for changing user access for emplo

28、yees with application access rights when an employee leaves, is terminated, or receives a promotion. Purpose:To obtain an understanding of application information security controls. B.4.PS - Security Control ActivitiesProcedure Step: Access to Internet Audit Step:Determine to what extent the applica

29、tion functions as an open communications environment relating to Internet access. Obtain a schematic showing the interconnectivity of application to the Internet (are there firewall policies, demilitarized zones, etc.). Determine whether the agency Dept. meets the provisions of State IS policies.Pur

30、pose:To obtain an understanding of application information security controls. B.4.PS - Security Control ActivitiesProcedure Step: Critical Hosts Audit Step:Has agency established adequate controls to account for (i.e., continuous inventory) and secure application equipment such as servers, printers

31、(i.e., shredding of confidential data output), modems, routers, etc. Note: security covers physical, environmental, and logical controls.Purpose:To obtain an understanding of application information security controls. B.4.PS - Security Control ActivitiesProcedure Step: Administration Rights Audit St

32、ep:Obtain an understanding of agency policies and procedures related to individuals with administration rights to the application. Determine whether adequate monitoring procedures are in place over these individuals.Purpose:To obtain an understanding of application information security controls. B.4.PS - Security Control Activit