risk controls testing matrix a. administrative
TRANSCRIPT
Risk Controls Testing Matrix
A. Administrative
Risk Control Test /Question ResultsExpected (Best
practice)Actual
A1. Copyright
violation
User access to
sensitive information
Adequate measures to
account for and maintain
user licenses
Appropriate approval
process for creating and
removing users from the
system
1. What are the procedures for user registration and
certification, including servers, groups and users;
2. Determine if requests for access are recorded and
approved.
3. Determine if licenses are in place for all users.
4. What is the process for removal of users?
Should have enough licenses for
current users and future planned
users.
Requests for creating a user-id
should be approved by
management. These requests
should be recorded.
A2. Inadequately
trained
administrators
Appropriately trained.
Being aware of the latest
news about Lotus Notes
about patch fixes or
vulnerabilities.
1. Determine roles and responsibilities of Lotus Notes
Group members.
2. What training does Notes administrators get?
Clearly defined roles,
segregation of duty.
Administrators are being trained
on a periodic basis and they are
aware of the latest exposures or
vulnerabilities related to Notes
environment.
Risk Control Test /Question ResultsExpected (Best
practice)Actual
Risk Controls Testing Matrix
A. Administrative
B.1 Non-availability
of Company systems
for an extended
period in event of
contingency.
Adequate backup
routines
Data stored at off site
facility
Tests and procedures to
recover data on a timely
basis.
1. Review the backup and recovery procedures.
2. Ensure NAB is adequately backed up (ensure any
shared mail is also backed up).
3.Review the system contingency / disaster recovery
plans.
4. Determine that documentation describing system
recovery in the event of data loss or disaster is sufficient.
5. Determine if disaster recovery plan has been
tested.
6. Review retention of backups.
7. Determine use of remote site storage facilities.
Back-up of data from Notes
servers. This data taken off-site
on a regular basis.
Up to-date contingency plans.
Plans been distributed to all
personnel concerned.
Periodic testing of plans to
identify any weakness. Plans to
correct on the weakness.
Risk Control Test /Question ResultsExpected (Best
practice)Actual
Risk Controls Testing Matrix
A. Administrative
C.1 Unauthorized
access to sensitive
information
Appropriate procedures
should be followed to
provide only authorized
access to databases
1. Determine if access to MAIL.BOX is properly
restricted.
2. How is ACL managed? If individuals are used
instead of groups, ask for justification.
3. Obtain justification for privileged access
4. Check NAB for attached files.
5. Determine if administrator USER.ID file is properly
secured.
6. Who can modify domain address book?
7. Have sensitive databases been identified? Is the
ACL for these databases periodically reviewed for
modifications?
8. What is the process for adding users to ACLs?
Only Notes administrators
should have access to
MAIL.BOX database?
Look for use of Groups rather
than individuals
By default user.id files are
attached in the NAB. As this
information should only be given
to the specific user. User.id files
should not be attached to NAB.
User.id should be secured
where only Notes administrators
have access.
Regular users should only be
able to make changes to their
records.
Sensitive databases (including
mail boxes) should be identified
and access should be reviewed
periodically.
Risk Control Test /Question ResultsExpected (Best
practice)Actual
Risk Controls Testing Matrix
A. Administrative
Unauthorized access
to sensitive
information
Appropriate procedures
should be followed to
provide only authorized
access to databases.
9. What is the process for installing databases on the
servers? (Change control process)
10. Are third party utilities like ACL Analyzer used?
11. Are access denial logs reviewed for servers or
databases?
Databases designs should be
reviewed and approved before
they are installed on the server.
C.2 Unauthorized
physical access to
servers and other
related computer
equipment
Damage caused by
environmental
factors
Physical access
controlled by placing
access restrictions.
1. Determine if adequate fire, smoke and water
detection devices are used with the necessary means
of extinguishing fires and removing smoke and water.
2. Determine that devices are tested and certified
regularly.
3. Determine if servers are properly secured. Evaluate
the use of physical security over the environment,
i.e. use of locks, badge readers, special enclosures,
alarms or other forms of access control.
Fire, smoke and water detection
devices are put in place.
Adequate fire extinguishing
equipment.
Adequate physical security for
all servers and other equipment.
Risk Control Test /Question ResultsExpected (Best
practice)Actual
Risk Controls Testing Matrix
A. Administrative
D.1 Unauthorized
access to notes
server
Server administration so
as to restrict access to
authorized personnel.
1. Are restricted or unrestricted agents allowed on the
server?
2. Is access to the servers denied to all former
employees?
3. Is internet access to the server secure?
4. Is the server machine logically secure (OS)?
5. How is the wireless access to Notes servers’ setup?
6. Are Sametime and Quickplace applications being
used?
7. Is there any direct dial-in access to any of the notes
servers? Is this through AT & T global dialer?
Unrestricted agents should not
be allowed to run.
Former employees should not
have access. The names
should be included in the access
deny list.
Notes part of the server machine
should not be accessible for
regular users.
Risk Control Test /Question ResultsExpected (Best
practice)Actual
Risk Controls Testing Matrix
A. Administrative
E.1 Unauthorized
access to sensitive
information
Adequate user creation
and deletion procedures.
Access to server and
certifier ids on a need
basis.
Password management
1. How is the ID's stored after creation (for when
people forget their passwords) and how are they
stored after they have been distributed to the user?
2. Evaluate the adequacy of procedures for reclaiming
ID's. Ensure only active employees are listed in the
address book and former employees are denied
access.
3. Who has access to server.id and certifier ids?
[Does server ids have passwords on them]
4. Are security violations investigated? Are violations
investigated in a timely manner?
5. Are minimum length requirements set and enforced
(what is the standard minimum length)?
User.ids should be stored at a
secure location where only
Notes administrators have
access. They should be
distributed securely when users
forget passwords.
Appropriate procedures should
be in place to reclaim ids from
employees leave the company.
Access to the notes directory
should be secured. Server.id
files and user.id files should be
secured as well.
Risk Control Test /Question ResultsExpected (Best
practice)Actual
Risk Controls Testing Matrix
A. Administrative
F.1 Virus and
Trojans could inflict
loss of data
Procedures to check for
viruses on mail servers
SMTP mail servers
configured so that they
are not accessible as
open relays
1. Determine to what degree executable programs are
allowed to be uploaded.
2. Determine if ant virus software is installed on all
platforms.
3. Are stored forms used?
4. Was incoming mail automatically encrypted at the
server?
5. Can SMTP servers on the DMZ be used as mail
relay servers to send SPAM
Anti-virus software should be
installed on all mail servers.
E-mail delivered to users should
be checked for viruses.
Stored forms should not be used
or Execution Control Lists
should be utilized.
SMTP should not be accessible
as open relays.