Internal Controls
Internal Controls explain the activities we perform at our organisation to deal with Risks and Compliance Requirements. We document what they do, how we test them and what Policies, Standards and Procedures govern them.
60
0%
Current Internal Controls
0
0%
New Internal Controls
0
0%
Updated Internal Controls
|
Actions
|
Title | Objective | Audit Methodology | Audit Success Criteria | Maintenance Task | Policies |
|---|---|---|---|---|---|---|
|
Active Directory User Reviews
|
Ensure that those employees that have left the organisation have no valid account in the AD and that his/her last login is previous to its last day in the office.
|
Input:
- HR needs to provide the list of employees that left the company since the beginning of the year and their last day in the company as columns A and B. The name of the employee must be its login name (john.foo) - AD team needs to provide the list of disable accounts (column A) the date they were disabled and their last successfull login as column B and C. Analysis: - For each row in the list of employees verify if the account has been disabled and no logins existed after its last day of work. Output: - A merge of both spreadsheets showing all accounts are disabled and no logins occured after the last login. |
All accounts have been disabled before the employee left the organisation.
|
NA
|
Account Management Procedures | |
|
AD Group Reviews
|
Ensure AD groups have been managed according to our policies.
|
Input:
- List of critical AD groups; group name in column A - Members for each group; column A group name; column B group member login name - Tickets for AD management queue - Logs from the central collector with all AD changes Analysis: - Review that all AD changes have a ticket assigned; if they do not have a ticket check mark the item - Review all tickets and ensure they have followed the standard procedure; if not check mark the item. Output: - Spreadsheet Analysis |
All AD changes have a ticket and all tickets have followed our standard procedures.
|
NA
|
Account Management Procedures Hardening Standards Logging & Monitoring Standards Change Management Procedure | |
|
Anti-Malware Software Reviews
|
Ensure antivirus/malware software is deployed and kept up to date on critical systems
|
Evidence: ,
- Inventory of systems and assets, - Screenshot from master AV software showing version of software and latest signature update, - List of all new employees since last audit, , Analysis:, - Randomly check on the inventory assets have AV deployed and updated to the latest signature, - Ensure the master AV system has the latest signature implemented, - Randomly select new emplpyees and interview them to ensure their systems have AV, are updated and can not be disabled , , Output:, - All provided evidence, - Spreadsheet with a list of employees and assets reviewed and a check if the test went ok |
All systems reviewed have AV installed, is updated and can not be disabled (in the case of non-admin systems)
|
NA
|
Hardening Standards | |
|
Application Hardening Standards
|
Verify applications and systems have been hardenened as per our standards.
|
Evidence:
- System inventory Analysis: - For a selection of systems that have not previously tested on the last audit ensure all hardening standard are enforced Output: - Spreadsheet with the analysis of systems vs. hardening checks - Screenshots for each system that proves hardening is enforced |
All tested systems and applications meet all our hardening standards where technically feasible
|
NA
|
Hardening Standards | |
|
Background Check Reviews1!!!
|
Ensure that employees and contractors have gone through the mandatory background checks
|
Evidence: ,
- List of employees and contractors that joined the company since last audit, - Request copies of their Background Checks records as per HR Security Policy, , Analysis:, - Review that employees and contractors have their background checks records available at their HR file , , Output:, - All provided evidence, - Spreadsheet with a list of employees and an additional column with a check (if background check was provided or not as expected) |
All employees and contractors reviewed must have their mandatory background checks performed
|
NA
|
HR Security Policy | |
|
Backups
|
Ensure Critical Systems (ERP and CRM) have backups and restores have been tested as per policies and standards.
|
Input:
- List of planned restored tests; column A system; column B planned restore test. - List of backup configuration from Networker for each system in scope - List of tickets on the Backup queue Analysis: - Ensure systems in scope have appropriate backup configured - Ensure that restores were completed as schedulled and tickets indicate the process has been properly followed. Output: - Spreadsheet with the analysis |
All systems in scope have backup configurations and test restores have been executed as planned.
|
NA
|
Backup Policies Change Management Procedure | |
|
Badge Reviews
|
Ensure all active badges belong to current employees and contractors.
|
Input:
- List of employees that left the company since the last audit - List of all badges assigned to each employee Analysis: - Review if the badge assigned to a former employee is disabled or enabled (to a different employee) Output: - Spreadsheet with the analysis; column A includes the employee and a check mark on column B if the former employee has no valid badge assigned. |
There are no active cards assigned to ex-employees.
|
NA
|
Physical Security Standards | |
|
Cardholder Data DMZ
|
Ensure systems that manage or store card holder data are protected from a DMZ
|
Evidence:,
- Cardholder Diagram, - Firewalls involved Configurations , , Analysis:, - Ensure cardholder systems are behind a DMZ, - Ensure traffic in and out is limited to needed hosts / networks, , Output:, - Firewall Configurations highlighting any rule outside what is strictly needed |
All cardholder systems must be behind a dmz network and firewall and the traffic in and out must be denied except what is needed
|
NA
|
Network Diagram | |
|
CCTV
|
Monitor access and specific areas in offices in order to prevent incidents or document evidence.
|
Input:
- CCTV recordings from all branches offices entrance door Analysis: - Validate recordings exist for up to 90 days Output: - Spreadsheet with the camera name (column A); office (column B) and a check mark if recordings for at least 90 days have been found. |
CCTV has at least 90 days of recording.
|
NA
|
Physical Security Standards | |
|
Change Mgt Reviews
|
Review changes on linux systems have a corresponding ticket.
|
Input:
- List of systems in scope; column A the hostname of the system - Logs for all systems from the central log collector - List of tickets for the linux queue; column A ticket number; column B date Analysis: - For each log ensure there is a ticket; if there is no ticket check mark the log line - For each log with a ticket; review the ticket and ensure it follows our change procedures Output: - Two spreadsheets; one with logs and the other with tickets |
All system changes have a ticket and all tickets have followed our procedures
|
NA
|
Change Management Procedure System inventory Hardening Standards Logging & Monitoring Standards | |
|
CMDB Reviews
|
The organisation keeps track of individual assets assigned in a CMDB (a spreadsheet), this is updated by Service Desk as they distribute and manage the assignment of them. This controls reviews that the assignment has been done correctly.
|
Evidence:
- List of CMDB changes since the last audit - List of Service Desk tickets related to CMDB changes Analysis: - Validate that the CMDB changes have valid Service Desk number - Validate Service Desk ticket followed the process in particular approvals and incident reports - Visit the stock room and validate that items that show on the CMDB as pending assignment are visible Output: - Spreadsheet with the analysis - Screenshots of the service desk tickets analysed |
CMDB is updated and accurate
Service Desk tickets have followed the document process to the detail |
NA
|
System inventory End Point CMDB Management Procedure | |
|
Code Reviews
|
Review the code that manages key functionalities to ensure SDLC standards are met
|
Input:
- List of application in the scope of the program and their key functionalities as per our SDLC procedure - Reference to the software deployment tickets Analysis: - Ensure that all key functionalities have been tested before being deployed by at least two different people. Output: - Spreadsheet with the list of tickets and a check mark if they have been properly reviewed. |
All key features have been contested by at least two people before being deployed.
|
NA
|
SDLC Procedures | |
|
Corporate Application Inventory
|
Trough the use of quarterly interviews with all teams in the organisation we aim keeping an update database of the applications that serve the business and the key teams responsible for their maintenance
|
Evidence:
- All interview records since the last audit - Inventory database Analysis: - Compare updates on the inventory database against the interview conclusions Output: - Inventory records - Spreadsheet with changes on the inventory database |
- All areas of the organisation have been interviewed
- All changes reported have been reflected on the inventory |
|
System inventory | |
|
Corporate DataFlow Inventory
|
Trough regular interviews understand what key data each team handles and how it flows (with particular focus on systems and people) thought the corporation and third parties.
|
Evidence:
- Records of interviews with all areas of the organisation where the involved data, systems, third parties and teams are documented - GDPR data flow and inventory document Analysis: - Compare the conclusions of such meetings and validate they are reflected on the inventory document Output: - Copy of the interviews - Spreadsheet with the analysis |
- Meetings have taken place with all areas
- Conclusions are documented and reflected on the inventory document |
|
Data Flow Analysis and Inventory | |
|
CRM Application - Account Reviews
|
Ensure that each user account in CRM belongs to the correct area and that each role has been granted for a ticket
|
Input:
- System logs that indicate account creations at the CRM system - List of all tickets for CRM account management since the last audit Analysis: - For each log identify a ticket - Review the ticket has followed our account management process Output: - Spreadsheet with analysis |
All account creations have followed our procedures.
|
NA
|
Account Management Procedures Hardening Standards Logging & Monitoring Standards | |
|
Database Administrator Account Reviews
|
Ensure the database user logins on the following systems: CRM; ERM; Acme Drupal have not received login attempts from other sources than the application that they serve.
|
Input:
- Connection log for these three systems obtained from the central log collector - DB account names used by the applications that use these databases Analysis: - For each log line; ensure no other account than the ones used by the application has successfully logged on the DB. Output: - Spreadsheet validating each database connection; a check mark if a fault is identified. |
Only system applications service accounts have connected to the database.
|
NA
|
Account Management Procedures Hardening Standards Logging & Monitoring Standards | |
|
Datacenter Security
|
Ensure server rooms and datacenters comply with our policies and standards.
|
Input:
- Datacenter standards document Analysis: - Visit each site and make sure they comply with standards Output: - Spreadsheet with the analysis for each standard requirement a Yes / No. |
%100 compliance
|
NA
|
Physical Security Standards | |
|
Destruction of Media
|
Ensure media that no longer is in use has been destroyed
|
Input:
- Inventory of all media due for destruction - Records of the media that got destroyed by the third party Analysis: - For each item on the inventory there is a corresponding record by the supplier in charge of destroying media, where such record does not exist check mark the item. Output: - Spreadsheet with the analysis |
All media tagged as no longer in use was destroyed and records of such destruction exists.
|
NA
|
Media Handling Policy | |
|
DMZ Firewall Reviews
|
Ensure that every rule in the DMZ has followed change management procedures correctly.
|
Input:
- Firewall change logs from central log collector - List of network tickets from the ticketing system; column A includes the ticket number and column B the date. - Policy change procedure Analysis: - For each firewall change on the logs identify a ticket - Each ticket must have followed our procedures in detail Output: - Spreadsheet with tickets includes a checkbox if they have not followed the procedure - Spreadsheet with firewall logs include a check mark if they have not a directi ticket asociated |
All logs include a ticket and all tickets have followed the process correctly
|
NA
|
Hardening Standards Change Management Procedure Logging & Monitoring Standards | |
|
Dual Factor Authentication
|
Ensure key systems include 2-Factor Authentication
|
Input:
- List of key systems (CRM, ERM, VPN) - Screenshot that shows 2-Factor is enabled Analysis: - Review 2-factor is enabled Output: - Screenshots |
All systems use 2-factor authentication
|
NA
|
Hardening Standards | |
|
Employee Account Provisioning and Deprovisioning Review
|
This control ensures that the provisioning and deprovisioning of accounts on systems have followed our procedures in detail against our Active Directory which authenticates all user login attempts at all systems in the company. Additional reviews are performed on key systems.
|
Evidence:,
- List of employees that joined and left the company since the last audit, - List of active AD user accounts, , Analysis:, - Review no former employee has an active AD account, - Review that new employee accounts have the Change Request ticket number as a description on their AD account, then review the ticket has followed the process on Service Desk including approvals, , Output:, - Spreadsheet with the analysis, - All dumps (employee and AD) |
- No former employee has an account,
- The provisioning tickets reviewed have all followed the process |
NA
|
Account Management Procedures Change Management Procedure | |
|
Employee contract reviews
|
|
NA
|
NA
|
Ensure employees have contracts and those are kept on esteban gmail account
|
HR Security Policy | |
|
Employee Interview to assess satisfaction
|
|
NA
|
NA
|
Interview all employees and ensure: wages are ok, work is ok, colleagues are ok
|
HR Security Policy | |
|
End-Point Reviews
|
Ensure that end-point hardening and device allocation processes are followed and enforce on all our end-point devices (laptops and mobile phones in particular)
|
Evidence:,
- List of employees that joined and left the organisation since the last audit, - Asset inventory list, , Analysis:, - Meet those new employees with service desk and validate their assigned devices correspond those documented on the inventory. Review if devices meet hardening standards., - Review the inventory and ensure there are receipts for the hardware returned by those employees that have left the organisation, , Output:, - List of employees with a checkbox indicating if the tests are correct or not, - PDF copies of hte receipts |
All hardware must be allowed or removed with receipts that prove the exchange. All devices must follow hardening guides to the detail.
|
NA
|
Hardening Standards HR Security Policy System inventory | |
|
Endpoint Hardware Inventory
|
Control that end point systems (laptops and desktops) are built according to our organisational standards.
|
Input
- Random selection of at least %10 of all Endpoint systems - Official build guide for Endpoint systems - System inventory Analysis: - Validate the system is encrypted and asociated with the AD domain - The system is part of the inventory Output: - Spreadsheet with the systems reviewed and result (correct / not correct) |
All systems must be aligned with our build standards.
|
NA
|
Hardening Standards System inventory |