iFour Consultancy
Information Security Audit Checklist
Basic stages and workflow of IS Audit
Software Consultancy India http://www.ifourtechnolab.com
Table of Contents
ISO for Software Outsourcing Companies in India
Sr. No. Particulars
1 List of documents for understanding the Information System of the auditee.
2 Criticality Assessment Tool
3 Collection of specific information on Information System
4 Risk assessment
5 General controls
6 Input controls
7 Processing controls
8 Output controls
9 IT security
Software Consultancy India http://www.ifourtechnolab.com
Documents for understanding Information System
ISO for Software Outsourcing Companies in India
Sr. No. List of documents1 Brief background of the organization
2 Information security objectives
3 Scope document of Information System
4 Organizational chart with details of reporting responsibilities
5 Information security policy
6 Risk assessment process
7 Statement of Applicability
8 Risk treatment plan and process
9 Risk assessment and Risk treatment results
10 Evidence of monitoring and measurement results
11 Evidence of implementation of audit program
12 Evidence of results of management reviews
13 Previous audit and internal audit reports
14 Evidence of results of any corrective action
Software Consultancy India http://www.ifourtechnolab.com
Questions Asked: Does the system relate to any of the following operations:
Business Critical Operations Support functions
What is the amount of investment made in the system? Number of PCs/Desktops used in the system? Is the system on the network? How much dependent is the organization on the system? Does the system link to third parties? Does the system have dedicated IT staff? How many end-users of system? For how long has the system been operation for? Does the system have a documented and approved DRP? What is the volume of data used by the system?
Criticality Assessment Tool
ISO for Software Outsourcing Companies in India Software Consultancy India http://www.ifourtechnolab.com
Collection of specific information on IS
Information to be collected includes:Name of the system and broad functional areas covered by the system.Department head of the organizationLocation of the system installationCategory of the system architectureAffects financial or accounting aspects of the organizationSoftwares used by the systemIs the system mission critical?Is the system in-house or has it been outsourced? (if so, then collect information of that
company)
ISO for Software Outsourcing Companies in India Software Consultancy India http://www.ifourtechnolab.com
Collection of specific information on IS (continued)Total persons involved in the systemDoes the system documentation provide audit trail of all transactions?Are system manuals available?Details of hardware items employed by the systemWhat is the projected cost of the system?When was the system made operational?Total investment made in the system based on categories of items use
ISO for Software Outsourcing Companies in India Software Consultancy India http://www.ifourtechnolab.com
The risk assessment is classified into 4 categories:Management & Organization
HR Policy
Security
Physical & Logical access
Risk assessment
ISO for Software Outsourcing Companies in IndiaSoftware Consultancy India http://www.ifourtechnolab.com
Questions asked: Is there a strategic IT plan prepared by the organization based on business needs?
Does the IS department have clear cut and well defined goals?
Does management provide appropriate direction on security objectives of the system?
If the system uses 3rd party data, does the organization have procedures in place to address associated risks?
Are there procedures to update strategic IT plan?
Risk assessment – Management & Organization
ISO for Software Outsourcing Companies in India Software Consultancy India http://www.ifourtechnolab.com
Risk Assessment – HR policy
Questions asked: Is there a criteria for recruiting and selecting personnel?
Is training need analysis done at a particular interval?
Is organization’s security clearance process adequate?
Are responsibilities and duties clearly defined?
Is backup staff available in case of absenteeism?
Software Consultancy India http://www.ifourtechnolab.com
Questions asked: Is there a data classification schema in place?
Is there a user security profile system in place to determine access on a ‘need to know’ basis?
Is there a password policy?
Are preventive and detective control measures been established by management?
Is there a centralized security organization responsible for ensuring only appropriate access to system resources?
Risk assessment – Security
ISO for Software Outsourcing Companies in India Software Consultancy India http://www.ifourtechnolab.com
Questions asked:Whether facility access is limited to least number of people?
Is there a periodic and ongoing review of access profiles, including managerial review?
Whether physical security is addressed in the continuity plan?
Whether health, safety and environmental regulations are being complied with?
Is there a system of reviewing fire, weather, electrical warning and alarm procedures and expected response scenarios for various levels of environmental hazards?
Risk assessment – Physical & Logical Access
ISO for Software Outsourcing Companies in India Software Consultancy India http://www.ifourtechnolab.com
To check whether proper controls have been implemented or not. These controls need to be viewed in relation to the impact on the efficiency,
security or effectiveness of the system. Questions asked:
Are there procedures for monitoring the implementation of strategic plan?Are current IT activities consistent with the plan?Is documentation complete and in current state?Does security procedures cover designation and duties of security officer?Are security breaches immediately reported for appropriate action?Are objectives, scope and requirements of acquisition clearly defined and documented?
General Controls
ISO for Software Outsourcing Companies in IndiaSoftware Consultancy India http://www.ifourtechnolab.com
Questions asked:Are the methods of data entry and conversion well documented?Are all the documents accounted for and if so what is the method used?Is there a system of documents being signed or marked to prevent reuse of data?Is there a system of escalation of reports to higher levels if the conditions deteriorate?Does the system provide for error messages for every type of error not meeting the
validation?
Input Controls
ISO for Software Outsourcing Companies in IndiaSoftware Consultancy India http://www.ifourtechnolab.com
Questions asked:Do documented procedures exist explaining the methods for proper processing of each
application program?Is the history log displayed by the console?Does the computer program logic have in-built standardized default options?Are version control procedures in place, ensuring the processing on the proper version
of file?Are the error messages clear and short, communicating the nature of error for
appropriate guidance to the user?
Processing Controls
ISO for Software Outsourcing Companies in IndiaSoftware Consultancy India http://www.ifourtechnolab.com
Questions asked:Is the user department responsible for correctness of all output?Examine whether document methods are in place for proper handling and distribution
of output?Examine the system of forward linkage to trace transaction from origin to its final output
stageWhether output audit trail logs are maintained and periodically reviewed by supervisors
to ensure accuracy of output generated
Output Controls
ISO for Software Outsourcing Companies in IndiaSoftware Consultancy India http://www.ifourtechnolab.com
Sections considered:Security PolicyOrganizational securityAsset classification and controlPersonnel securityPhysical & Environmental securityCommunications & Operations managementAccess ControlSystem development and maintenanceBusiness continuity managementCompliance
IT security
ISO for Software Outsourcing Companies in IndiaSoftware Consultancy India http://www.ifourtechnolab.com
http://www.icisa.cag.gov.in/Background%20Material-IT%20Environment/IT-Audit-Manual/Vol-3.pdf
References
Software Consultancy India http://www.ifourtechnolab.com