risk controls testing matrix a. administrative

Risk Controls Testing Matrix

A. Administrative

Risk Control Test /Question ResultsExpected (Best

practice)Actual

A1. Copyright

violation

User access to

sensitive information

Adequate measures to

account for and maintain

user licenses

Appropriate approval

process for creating and

removing users from the

system

1. What are the procedures for user registration and

certification, including servers, groups and users;

2. Determine if requests for access are recorded and

approved.

3. Determine if licenses are in place for all users.

4. What is the process for removal of users?

Should have enough licenses for

current users and future planned

users.

Requests for creating a user-id

should be approved by

management. These requests

should be recorded.

A2. Inadequately

trained

administrators

Appropriately trained.

Being aware of the latest

news about Lotus Notes

about patch fixes or

vulnerabilities.

1. Determine roles and responsibilities of Lotus Notes

Group members.

2. What training does Notes administrators get?

Clearly defined roles,

segregation of duty.

Administrators are being trained

on a periodic basis and they are

aware of the latest exposures or

vulnerabilities related to Notes

environment.


practice)Actual


A. Administrative

B.1 Non-availability

of Company systems

for an extended

period in event of

contingency.

Adequate backup

routines

Data stored at off site

facility

Tests and procedures to

recover data on a timely

basis.

1. Review the backup and recovery procedures.

2. Ensure NAB is adequately backed up (ensure any

shared mail is also backed up).

3.Review the system contingency / disaster recovery

plans.

4. Determine that documentation describing system

recovery in the event of data loss or disaster is sufficient.

5. Determine if disaster recovery plan has been

tested.

6. Review retention of backups.

7. Determine use of remote site storage facilities.

Back-up of data from Notes

servers. This data taken off-site

on a regular basis.

Up to-date contingency plans.

Plans been distributed to all

personnel concerned.

Periodic testing of plans to

identify any weakness. Plans to

correct on the weakness.


practice)Actual


A. Administrative

C.1 Unauthorized

access to sensitive

information

Appropriate procedures

should be followed to

provide only authorized

access to databases

1. Determine if access to MAIL.BOX is properly

restricted.

2. How is ACL managed? If individuals are used

instead of groups, ask for justification.

3. Obtain justification for privileged access

4. Check NAB for attached files.

5. Determine if administrator USER.ID file is properly

secured.

6. Who can modify domain address book?

7. Have sensitive databases been identified? Is the

ACL for these databases periodically reviewed for

modifications?

8. What is the process for adding users to ACLs?

Only Notes administrators

should have access to

MAIL.BOX database?

Look for use of Groups rather

than individuals

By default user.id files are

attached in the NAB. As this

information should only be given

to the specific user. User.id files

should not be attached to NAB.

User.id should be secured

where only Notes administrators

have access.

Regular users should only be

able to make changes to their

records.

Sensitive databases (including

mail boxes) should be identified

and access should be reviewed

periodically.


practice)Actual


A. Administrative

Unauthorized access

to sensitive

information

Appropriate procedures

should be followed to

provide only authorized

access to databases.

9. What is the process for installing databases on the

servers? (Change control process)

10. Are third party utilities like ACL Analyzer used?

11. Are access denial logs reviewed for servers or

databases?

Databases designs should be

reviewed and approved before

they are installed on the server.

C.2 Unauthorized

physical access to

servers and other

related computer

equipment

Damage caused by

environmental

factors

Physical access

controlled by placing

access restrictions.

1. Determine if adequate fire, smoke and water

detection devices are used with the necessary means

of extinguishing fires and removing smoke and water.

2. Determine that devices are tested and certified

regularly.

3. Determine if servers are properly secured. Evaluate

the use of physical security over the environment,

i.e. use of locks, badge readers, special enclosures,

alarms or other forms of access control.

Fire, smoke and water detection

devices are put in place.

Adequate fire extinguishing

equipment.

Adequate physical security for

all servers and other equipment.


practice)Actual


A. Administrative

D.1 Unauthorized

access to notes

server

Server administration so

as to restrict access to

authorized personnel.

1. Are restricted or unrestricted agents allowed on the

server?

2. Is access to the servers denied to all former

employees?

3. Is internet access to the server secure?

4. Is the server machine logically secure (OS)?

5. How is the wireless access to Notes servers’ setup?

6. Are Sametime and Quickplace applications being

used?

7. Is there any direct dial-in access to any of the notes

servers? Is this through AT & T global dialer?

Unrestricted agents should not

be allowed to run.

Former employees should not

have access. The names

should be included in the access

deny list.

Notes part of the server machine

should not be accessible for

regular users.


practice)Actual


A. Administrative

E.1 Unauthorized

access to sensitive

information

Adequate user creation

and deletion procedures.

Access to server and

certifier ids on a need

basis.

Password management

1. How is the ID's stored after creation (for when

people forget their passwords) and how are they

stored after they have been distributed to the user?

2. Evaluate the adequacy of procedures for reclaiming

ID's. Ensure only active employees are listed in the

address book and former employees are denied

access.

3. Who has access to server.id and certifier ids?

[Does server ids have passwords on them]

4. Are security violations investigated? Are violations

investigated in a timely manner?

5. Are minimum length requirements set and enforced

(what is the standard minimum length)?

User.ids should be stored at a

secure location where only

Notes administrators have

access. They should be

distributed securely when users

forget passwords.

Appropriate procedures should

be in place to reclaim ids from

employees leave the company.

Access to the notes directory

should be secured. Server.id

files and user.id files should be

secured as well.


practice)Actual


A. Administrative

F.1 Virus and

Trojans could inflict

loss of data

Procedures to check for

viruses on mail servers

SMTP mail servers

configured so that they

are not accessible as

open relays

1. Determine to what degree executable programs are

allowed to be uploaded.

2. Determine if ant virus software is installed on all

platforms.

3. Are stored forms used?

4. Was incoming mail automatically encrypted at the

server?

5. Can SMTP servers on the DMZ be used as mail

relay servers to send SPAM

Anti-virus software should be

installed on all mail servers.

E-mail delivered to users should

be checked for viruses.

Stored forms should not be used

or Execution Control Lists

should be utilized.

SMTP should not be accessible

as open relays.

risk controls testing matrix a. administrative

Documents