IT Audit Required Documents

1. People and Organisational document:

Organisation chart
Job description for IT department
Sample of Employee evaluation form
List of all terminations / Separations in the last 12 months.
New hire checklist
Termination checklist
IT Project List Planned , completed or going on in last 12 months
Last years Management response letter

2. IT Policies and Procedures documents:

Network Architecture Diagrams / Documentation
i. Network Diagram
ii. Diagram / Listing of hosts and servers running financial
applications
iii. Change management policy and procedures
iv. Network hardware and software Inventory
Computer operations Policies and Procedures
i. Security policy
ii. Password Policy
iii. Acceptable Use Policy
Incident Response Policy
Security Awareness Training Program
Firewall Configurations and Rule Sets
i. S/w selection policy and procedures
ii. Remote Access policy
iii. Acceptable use Policies
Email
Instant Messaging
Internet
Software
BCP/DRP
i. Policy and procedures
ii. Backup logs
iii. Offsite tape restoration logs
Vendor Contracts and SLA copies
Help desk report
Batch Processing Logs/ Checklist (if applicable)
3. System Acquisitions, development and Implementation
4. Program changes
5. Screen shots/ Samples
Program change Audit reports
Change Management Policy
Sample help desk report
Sample operator log
Sample of Backup Activity log
Sample backup job log detail
Sample Backup Log
Active directory default domain policy
Anti Virus update setting screenshots
 IT Audit Required Documents

Firewall configuration
New User / User Modification Authorization Form
Sample Security Audit Report

Process Flow: Following domains cover in IT Audit process:-

1. Access Authorization to Program and Data
2. Program Changes
3. Program Development
4. Computer Operations.

****************** Amendments in HIPAA Regulation

**************************
1. Inclusion of Subcontractors
2. Inclusion of health information organizations, vendors personal health
records and others that facilitate data transmission
3. Compliance deadlines for business associate compliance
4. Modified breach and notification rule
5. Marketing rules
6. Security rules
7. Amendments of authorization requirements
1. Sale of PHI
2. PHI After death
3. Disclosure of Schools of Students Immunizations
8. Notice of privacy practices
9. Individual right to restrict disclosure; Right of access
10.Fundraising
11.Modification of the HIPAA rule under GINA
12.The Hybrid entity its healthcare components and business associates
functions
13.Compliance and Investigations; Liability
HITECH Health information technology for economic and clinical health.
HHS Health and Human services
HIPAA Health insurance portability and accountability act 1996
GINA Genetic Information Non-discrimination Act of 2008: which clarifies that
genetic information is protected under the HIPAA privacy rule and prohibits most
health plans from using or disclosing genetic information for underwriting
purposes.
HITRUST Health Information Trust Alliance it has been created to establish a
common security framework that will allow for more effective and secure access,
storage and exchange of personal information. HITRUST is bringing together a
broad array of healthcare organizations and stakeholders, who are united by the
core belief that standardizing a higher level of security will build greater trust in
the electronic flow of information through the healthcare system.
 IT Audit Required Documents

********************** Encryption Algorithm *******************

IDEA International Data Encryption Algorithm It is a block cipher that operates
with 64 bit plain text and cipher text blocks and is controlled by 128 bit key.
DES: Key length 64(56 usable) Round 16 Block Size 64
TDES: KL- 168, 112 Round 48, BS 64
RSA: KL No. of bits in the module, Round 1 BS- Variable block size
Asymmetric Encryption Algorithm.
AES: KL- 128, 192, 256, Round 10, 12, 14, BS- 18
Blowfish: KL- 32-448, Round- 16, BS 64- No attack till date.
Two fish: - KL 128,192,256, Round: 16, BS- 128
Three fish: KL- 256,512, 1024, Round 72 for 256, 512, 80 for 1024, BS- 256,512
and 1024.
IDEA: KL- 128, Round: 8, BS- 64

********************************* PCI DSS *********************

****************************** Data Centre Audit ****************

While auditing data centre we should look for the following evidences:
1. Data centre certification SOC 2 Type II audited.
2. Data centre location :
a. Data centre located in an area not prone to natural disaster.
b. Data centre is sufficiently distanced from major airport, Gov. offices
etc..
3. Data centre security :
a. All data centre employees and contractors undergo criminal
background checks and subject to random drug scanning.
b. Biometric access control
c. On-site digital video camera surveillance
d. All cabinets are lockable and cages are offered
4. Data centre features:
5. Data centre network
6. Data centre Environment
7. 24*7*365 On-site staff
8. Account management tool
***** Main controls to be audited ******
1. Physical security
2. Environmental and electric control
3. Change Management
4. Inventory control
5. Incident Management
6. Disaster recovery / Continuity Management
 IT Audit Required Documents

********************* ISMS (ISO 27001) ************************

Mandatory Clauses:
1. Context of the organisation
a. Understanding the organisation and its context
b. Understanding the needs and expectation of interested parties
c. Determining the scope of the information security management
system
d. Information security management system
2. Leadership
a. Leadership and commitment
b. Policy
c. Organisational roles, responsibilities and authorities
3. Planning
a. Actions to address risk and opportunities
b. Information security objectives and planning to achieve them
4. Support
a. Resources
b. Competences
c. Awareness
d. Communication
e. Documented Information
5. Operation
a. Operational planning and control
b. Information Security risk assessment
c. Information security risk treatment
6. Performance evaluation
a. Monitoring, measurement, analysis and evaluation
b. Internal audit
c. Management review
7. Improvement
a. Nonconformity and corrective action
b. Continual Improvement
Domains covered in ISO27001:2013
1. Information security policy
2. Organisation of information security
3. Human resource security
4. Asset Management
5. Access Control
6. Cryptography
7. Physical and environmental security
8. Operation security
9. Communication security
10.System Acquisition, development and maintenance
11.Supplier relationships
12.Information security incident management
13.Information security aspects of business continuity management
14.Compliance
Need to focus on the following point of currents ISMS:
 IT Audit Required Documents

1. Current ISMS is control based but it should be process based. Process

based management is easier to integrate with any standard. Controls do
not have defined output, but process do. This means processes can be
managed using metrics of the output.
2. Current ISMS is based on bottom up approach, but it should be based on
Top-Down approach. Focuses on business objectives/goals and derive
security objectives and targets from business requirement.
3. Current ISMs information qualities: CIA but the required information
qualities are Business, compliance and technical.
4. Current ISMS consider Incident as breach of CIA but requirement is to
consider breach of security objective as incident.

Information Security Management Maturity Model main

characteristics are:
1. Business focused
2. Process Oriented
3. Measurement driven

**************************** Firewall Audit Process

************************
1. Auditing the change process
2. Auditing the firewall rule base
**************************** Router and Switch Audit
**************************
1. Are unused services are disabled?
2. Is DNS look ups for the router turned off??
3. Is TCP small server and UDP small servers services disabled on the
router?
4. Is Bootp server disabled on the router?
5. Is directed broadcast disabled on all interfaces?
6. Is source routing disabled on the server?
7. Is proxy ARP disabled on the router?
8. Is ICMP redirect disabled on the router?
9. Password encryption Is password is encrypted in configuration file.
*************************** ITGC Audit process **************
1. Understand and identify the environment and systems to be reviewed
2. Perform interviews , Walkthrough, and documentation reviews to gain an
understanding on process
3. Assess appropriateness of existing control environment (Control design)
4. Validating existing controls to assess control operating effectiveness
***** Main component covered in ITGC Audit *****
1. Access to program and data
a. User provisioning and user de provisioning
b. Periodic access reviews
c. Password requirements
d. Privileged user accounts
e. Physical access
2. Program changes
 IT Audit Required Documents

3. Program development
a. Change management procedures and system development
methodology
b. Authorization, development, Implementation, testing, approval, and
documentation
c. SOD
d. Configuration changes
e. Emergency changes
f. Data migration and version controls
g. Post change/Implementation testing and reviews
4. Computer operations: Computer operations components to be
considered
a. Batch job processing
b. Monitoring of jobs( Success/failure)
c. Backup and recovery procedures
d. Incident handling and problem management
e. Changes to the batch schedules
f. Environmental controls
g. Disaster recovery and business continuity plan
h. Patch management
************************ Application control Testing *************************8
The objective of control tests in an application are to validate the internal
controls to support accurate, complete, timely, and authorized processing.
Checks need to be performed at points of testing:
1. Have the business transaction processed by the software been identified?
2. Has transaction flow analysis been prepared for each transaction?
3. Have controls for the transaction flow been documented?
4. Performed input control testing.
5. Has the level of risk for each control area been identified?
6. Have end users or customers been notified of the level of control risk

*************************** ISMS Implementation Steps *******************

1. Obtain Management support
2. Treat as a project
3. Define the Scope
4. Write ISMS policy
5. Define the Risk Assessment methodology
6. Perform the risk assessment & risk treatment
7. Write the Statement of Applicability
8. Write the Risk Treatment Plan
9. Define how to measure the effectiveness of controls
10.Implement the controls & mandatory procedures
11.Implement training and awareness programs
12.Operate the ISMS
13.Monitor the ISMS
14.Internal Audit
15.Management Review
16.Corrective actions and support
 IT Audit Required Documents

************************* Top ten vulnerability******************

1. SQL Injection
2. Broken Authentication and Session Management
3. XSS(Cross site scripting)
4. Insecure Direct Object references
5. Security Misconfiguration
6. Sensitive data exposure
7. Missing Function Level Access Control
8. Cross Site Request Forgery
9. Using Components with known vulnerabilities
10.Unvalidated Redirects and Forwards
************************ Privacy by Design ***********************
1. Proactive not reactive ; Preventative not Remedial
2. Privacy as the default setting
3. Privacy embedded into design
4. Full Functionality Positive sum , not zero sum
5. End to End security Full lifecycle protection
6. Visibility and transparency - Keep it can
7. Respect for user privacy keep it user centric

************************* Privacy Engineering **************

Privacy Engineering is an emerging discipline within, at least, the software or
information Systems domain which aims to provide methodologies, tools and
techniques such that the engineered systems provide acceptable levels of
privacy.
In the US acceptable level of policy is defined in terms of compliance against the
functional and non-functional requirements set out through privacy policy.
Focuses on providing guidance that can be used to decrease privacy risks, and
enable organizations to make purposeful decisions about resource allocation and
effective implementation of controls in information systems.

********************************* Personal Data Service ***************

Personal Data Service Or Personal Data Store is service to let an individual store,
manage and deploy their key personal data in a highly secure and structured
way.
It gives the user a central point of control for their personal information.
1. Cloud based PDS
Data.fm, HAT (Hub of all things), Higgins etc...
2. PC-based PDS
 IT Audit Required Documents

The locker project an open source, JavaScript- Based, PDS with a centralised
underlying attribute store that exists on persons personal computer as well
as API to support local applications.
***************************** SQL Injection **********************
SQLmap is able to detect and exploit five different SQL Injection Types:
1. Boolean Based Blind
2. Time Based Blind
3. Error Based
4. UNION query based
5. Stacked queries :- Also known as Piggy backing
https://gbhackers.com/sqlmap-detecting-exploiting-sql-injection/

***************************LDAP Security and Configuration

Audit*********************
We should look for these evidences while auditing the LDAP:
1. Account Management
2. Authentication : LDAP generally support two authentication methods:
Simple blind and
3. Password policy : Most LDAP systems store and validate passwords
4. Access Control: Access control list affect both integrity and confidentiality
5. SSL and TLS: Most data carried by LDAP is likely to be sensitive, so
sessions should be encrypted.
Test should covers at least:
Access control rules
Authentication protocol
TLS
Size limits
Referential Integrity (If the server is configured to enforce this)
Objective of Auditing LDAP server: The active directory audit/assurance
review will:
1. Provide management with an evaluation of the active directory
implementation and management security design effectiveness
2. Provide management with an independent assessment of the operating
effectiveness of the security controls
Scope: Windows server implementations operate with various functions and
software. The review evaluates the necessary secure Active directory
infrastructure to support the servers and workstations within the enterprise. The
review will focus on the configuration controls related to:
1. Active directory management
2. Secure active directory boundaries
3. Secure domain controllers
4. Physical security of the domain controllers
5. Secure domain and domain controller configuration settings
6. Secure administrative practices
The scope excludes:
 IT Audit Required Documents

1. Windows server configurations

2. Workstation configurations
3. User access and identity management
4. DNS management
It is recommended that:
1. Windows server configuration assessments be performed using an
audit/assurance program specifically designed for the servers function
(Web, email, file/print, etc...)
2. Workstation configuration assessments be performed using
audit/assurance programs designed for the operating system and function
(Desktop, laptop, special applications, etc...)

Functionality of LDAP protocol:

1. StartTLS- Use the LDAPv3 TLS extension for a secure connection
2. Bind Authenticate and specify LDAP protocol version
3. Search
4. Compare
5. Add new entry
6. Delete an entry
7. Modify an entry
8. Modify Distinguished Name(DN) Move or Rename an entry
9. Abandon abort a previous request
10.Extended Operation
11.Unbind Close the connection.

**************** Information Security Metrics ***********************

1. Businesses use metrics to facilitate decision making
2. Better data leads to better decisions
3. Metrics allow organisation to set appropriate priorities

Security metrics is a method which facilitates decision making and improved

performance and accountability through collection, analysis and reporting of
performance related data.
Information security metrics must be:
1. Based on information security performance goals and objectives
2. Useful for detection and management of risks
3. Useful for tracking performance and directing resources
Security metrics measures the following:
1. Anti-malware
2. Firewall
3. Intrusion detection and prevention
4. Unified Threat Management
5. Data Leakage Protection
6. Configuration hardening
7. Mobile Data Protection
 IT Audit Required Documents

8. Web Application Firewalls

9. Background Checks report
10.Asset Management
11.Patch Management
12.Incident Management
Expected Milestones and Results:
1. Management Approved and Supported
2. Metrics based on Company/Executive needs
3. Metrics Based on Info sec mission statement & Goals
4. Metrics that are actionable
5. Metrics that provide( at minimum) two value points
Effective Security Metrics:
1. Meaningful: The metrics must be understood by recipients.
2. Accurate: A reasonable degree of accuracy is essential.
3. Cost-effective: The measurement cant be too expensive to acquire or
maintain.
4. Repeatable: The measure must be able to be acquired reliably over time.
5. Actionable: It should be clear to the recipient what action must be taken.
6. Genuine: It must be clear what is exactly being measured, eg,
measurement that are not random or subject to manipulation.
Value at Risk:
VAR is measure of the risk of investments. It estimates how much a set of
investments might lose, given normal market conditions, in a set time period
such as a day. VaR is typically used by firms and regulators in the financial
industry to gauge the amount of assets needed to cover possible losses.
In FRM, VaR is defined as: for a given portfolio, time horizon, and probability p,
the P VaR is defined as a threshold loss value, such that the probability that the
loss on the portfolio over the given time horizon exceeds this value P.
ROSI (Risk on Security Investments):
ROSI is used to calculate the return on investment based on the reduction in
losses resulting from a security control. ALE provides the likely annualized loss
based on probable frequency and magnitude of security compromise.

********************** Privacy Impact Assessment ***********************

DATA Protection Act Principle:
1. Personal data shall be processed fairly and lawfully and , in particular,
shall not be processed unless-
a) At least one of the conditions in schedule2 is met and
b) In the case of sensitive personal data, at least one of the
conditions in schedule 3 is also met.
2. Personal data shall be obtained only for one or more specified and lawful
purposes, and shall not be further processed in any manner incompatible
with that purpose or those purposes.
 IT Audit Required Documents

3. Personal data shall be adequate, relevant and not excessive in relation to

the purpose or purposes for which they are processed.
4. Personal data shall be accurate and, where necessary, keep up to date.
5. Personal data processed for any purpose or purposes shall not be kept for
longer than is necessary for that purpose or those purposes.
6. Personal data shall be processed in accordance with the rights of data
subjects under this Act.
7. Appropriate technical and organisational measures shall be taken against
unauthorised or unlawful processing of personal data and against
accidental loss or destruction of, or damage to, personal data.
8. Personal data shall not be transferred to a country or territory ensures an
adequate level of protection for the rights and freedoms of data subjects
in relation to the processing of personal data.
************************** Server Security Configuration Audit
**********************
1. Secure network and Physical Environment
I. Server is secured in locked rack or in an area with restricted
access
II. All non- removable media is configured with file systems with
access controls enabled.
2. Patching/ Server maintenance
3. Logging
4. System Integrity Controls
5. Vulnerability Assessment
6. Authentication and Access Control
7. Backup, Restore and Business Continuity
8. Application Administrative
9. Security Review and Risk Management
10.Server Registration
11.High Performance and Distributed Computing