Subject: Computer Attacks and Defence

Project No. 1: IT Audit Checklist

Name: Bc. Kryštof Šara (SAR0130)

Date: 12. 04. 2024

System

  • Which operating system(s) are in use in your organization?
  • How do you ensure these systems are up-to-date?
  • Who is in charge of the system upgrading?

Antivirus

  • Do you utilize antivirus software in your organization?
  • When was the last time that software were upgraded?
  • How do you test that that software is functional and operational?

Firewall

  • What kind of firewall is used in your organization’s network? Any hardware and/or software firewall solutions?
  • How many people are in charge of the firewall rules configuration?
  • Who does approve firewall changes?

Security policies

  • Where do you store the shared passwords?
  • Do teams use two-factor authentication by default whenever possible?
  • How are risky websited treated? Are they pihole’d for example?

IDS/IPS

  • Does your organization utilize IDS/IPS systems? What kind of honeypots do you utilize?
  • How does your organization control its operation?
  • How often do you test its functionality?

Access

User Accounts

  • How does a new account creation across your systems look like? Who is in charge of the new account incorporation?
  • What is your organization’s procedure to the user account deletion?
  • Where do you preserve user account information? Are the backups encrypted?

Passwords

  • How often do your organization’s employees change their passwords?
  • Do you have a special policy requiring the usage of a mixture of alphanumeric and special characters for a new password?
  • How do you store user passwords? What hashing algorithm is in usage? Do you salt passwords?

Roles

  • Do your organization use role-based access control to ensure another layer of authorization?
  • How often do you check for possible shadow accounts assigned such role?

Backups and DRS

Routine testing

  • Where is the physical location of your backups?
  • Do you utilize the 3-2-1 recommendation for backups?
  • How often do you test the operation state of your backups?
  • How often do you test the recovery procedure of your critical database system?

File deletion

  • What is your organization’s procedure/policy for any file deletion?
  • How do you ensure the file is permanently deleted?
  • How do you delete old backups?
  • Do you implement user deletion in the backups too according to GDPR?

Disaster recovery plan

  • Do your organization utilize one disaster recovery plan per a sector of the industry?
  • How often do you test all DR scenarios?
  • What is the procedure of communication with clients in case of a disaster?

Monitoring

  • What tooling do you have implemented to ensure a proper monitoring over your infrastructure?

Network

  • What monitoring tools are in the use in your network?
  • What is the full topology of your network(s)? Do you keep any diagrams of such topologies? Is it well documented?
  • Do you scrape system metrics (CPU, RAM, disk, network usages)? Do you utilize metrics-based alerting?
  • How do you perform checks of personal computers? Aren’t they slow on boot?
  • Do you have a separate network(s) (extranets) for your clients/guests?
  • Do you utilize VLANs?

Outages

  • How do you plan outages in your network(s)?
  • Do you utilize SLA? How many levels of SLA if so?
  • Who is in charge of setting the maintenance windows (MW) and what tasks are executed upon?

Development

  • How do you deploy new versions of your software?
  • Do you utilize CI/CD pipeline thinking?
  • How do you ensure zero- or as-low-as-reasonably-possible downtimes?
  • How do you secure access to the projects repositories? Who has the access to repositories? What are their roles and permissions?
  • Is your tooling up-to-date?
  • Do you use open-source tooling or any proprietary tooling for development?

Testing

  • What tests are in-use in your software development process?
  • How do you test network configuration changes?
  • Who is in charge of performing such testing?
  • Are those test automated of any kind?

Documentation

  • What security protocols are in use in your organization?
  • Do you have a centralized documentation system?
  • How often do you check for documentation updates? How often do you update your documentation?
  • Does every project of yours include a proper documentation?
  • What is a common syllabus of a documentation snippet?

Logs

  • Do you have a centralized logs storage?
  • What utilities/services do you use to keep and visualize your application and system logs?
  • Of what age are the logs stored in your infrastructure? How old backups do you keep?

Incidents

  • Do you have a standardized procedure on how to handle security incidents?
  • How does your escalation matrix look like? Who is to manage and delegate escalated incidents?
  • Do you utilize any kind of status page of your core services for clients? Is it publicly accessable?

Security Policies

  • Which security policies are implemented in your organization?
  • How often are your employees educated to comply with the current policies?
  • How does a common educational security presentation look like?

Standardization

Complience

  • How do you ensure your organization complies with the current security recommendations and requirements?

Licenses

  • How many licenses does your organization use? Have you got any kind of license listing?

Physical Control

  • Do you keep a logbook records of people coming into your facilities?
  • Do you have any type of presence checking implemented?

references