Internal Controls

Internal Controls explain the activities we perform at our organisation to deal with Risks and Compliance Requirements. We document what they do, how we test them and what Policies, Standards and Procedures govern them.

56

0%
Current Internal Controls

0

0%
New Internal Controls

0

0%
Updated Internal Controls
Actions
Title
Objective
Audit Methodology
Audit Success Criteria
Maintenance Task
Policies
Active Directory User Reviews
Ensure that those employees that have left the organisation have no valid account in the AD and that his/her last login is previous to its last day in the office.
Input:
- HR needs to provide the list of employees that left the company since the beginning of the year and their last day in the company as columns A and B. The name of the employee must be its login name (john.foo)
- AD team needs to provide the list of disable accounts (column A) the date they were disabled and their last successfull login as column B and C.

Analysis:
- For each row in the list of employees verify if the account has been disabled and no logins existed after its last day of work.

Output:
- A merge of both spreadsheets showing all accounts are disabled and no logins occured after the last login.
All accounts have been disabled before the employee left the organisation.
NA
Account Management Procedures
AD Group Reviews
Ensure AD groups have been managed according to our policies.
Input:
- List of critical AD groups; group name in column A
- Members for each group; column A group name; column B group member login name
- Tickets for AD management queue
- Logs from the central collector with all AD changes

Analysis:
- Review that all AD changes have a ticket assigned; if they do not have a ticket check mark the item
- Review all tickets and ensure they have followed the standard procedure; if not check mark the item.

Output:
- Spreadsheet Analysis
All AD changes have a ticket and all tickets have followed our standard procedures.
NA
Account Management Procedures Hardening Standards Logging & Monitoring Standards Change Management Procedure
Anti-Malware Software Reviews
Ensure antivirus/malware software is deployed and kept up to date on critical systems
Evidence: ,
- Inventory of systems and assets,
- Screenshot from master AV software showing version of software and latest signature update,
- List of all new employees since last audit,
,
Analysis:,
- Randomly check on the inventory assets have AV deployed and updated to the latest signature,
- Ensure the master AV system has the latest signature implemented,
- Randomly select new emplpyees and interview them to ensure their systems have AV, are updated and can not be disabled ,
,
Output:,
- All provided evidence,
- Spreadsheet with a list of employees and assets reviewed and a check if the test went ok
All systems reviewed have AV installed, is updated and can not be disabled (in the case of non-admin systems)
NA
Hardening Standards
Application Hardening Standards
Verify applications and systems have been hardenened as per our standards.
Evidence:
- System inventory

Analysis:
- For a selection of systems that have not previously tested on the last audit ensure all hardening standard are enforced

Output:
- Spreadsheet with the analysis of systems vs. hardening checks
- Screenshots for each system that proves hardening is enforced
All tested systems and applications meet all our hardening standards where technically feasible
NA
Hardening Standards
Background Check Reviews1!!!
Ensure that employees and contractors have gone through the mandatory background checks
Evidence: ,
- List of employees and contractors that joined the company since last audit,
- Request copies of their Background Checks records as per HR Security Policy,
,
Analysis:,
- Review that employees and contractors have their background checks records available at their HR file ,
,
Output:,
- All provided evidence,
- Spreadsheet with a list of employees and an additional column with a check (if background check was provided or not as expected)
All employees and contractors reviewed must have their mandatory background checks performed
NA
HR Security Policy
Backups
Ensure Critical Systems (ERP and CRM) have backups and restores have been tested as per policies and standards.
Input:
- List of planned restored tests; column A system; column B planned restore test.
- List of backup configuration from Networker for each system in scope
- List of tickets on the Backup queue

Analysis:
- Ensure systems in scope have appropriate backup configured
- Ensure that restores were completed as schedulled and tickets indicate the process has been properly followed.

Output:
- Spreadsheet with the analysis
All systems in scope have backup configurations and test restores have been executed as planned.
NA
Backup Policies Change Management Procedure
Badge Reviews
Ensure all active badges belong to current employees and contractors.
Input:
- List of employees that left the company since the last audit
- List of all badges assigned to each employee

Analysis:
- Review if the badge assigned to a former employee is disabled or enabled (to a different employee)

Output:
- Spreadsheet with the analysis; column A includes the employee and a check mark on column B if the former employee has no valid badge assigned.
There are no active cards assigned to ex-employees.
NA
Physical Security Standards
Cardholder Data DMZ
Ensure systems that manage or store card holder data are protected from a DMZ
Evidence:,
- Cardholder Diagram,
- Firewalls involved Configurations ,
,
Analysis:,
- Ensure cardholder systems are behind a DMZ,
- Ensure traffic in and out is limited to needed hosts / networks,
,
Output:,
- Firewall Configurations highlighting any rule outside what is strictly needed
All cardholder systems must be behind a dmz network and firewall and the traffic in and out must be denied except what is needed
NA
Network Diagram
CCTV
Monitor access and specific areas in offices in order to prevent incidents or document evidence.
Input:
- CCTV recordings from all branches offices entrance door

Analysis:
- Validate recordings exist for up to 90 days

Output:
- Spreadsheet with the camera name (column A); office (column B) and a check mark if recordings for at least 90 days have been found.
CCTV has at least 90 days of recording.
NA
Physical Security Standards
Change Mgt Reviews
Review changes on linux systems have a corresponding ticket.
Input:
- List of systems in scope; column A the hostname of the system
- Logs for all systems from the central log collector
- List of tickets for the linux queue; column A ticket number; column B date

Analysis:
- For each log ensure there is a ticket; if there is no ticket check mark the log line
- For each log with a ticket; review the ticket and ensure it follows our change procedures

Output:
- Two spreadsheets; one with logs and the other with tickets
All system changes have a ticket and all tickets have followed our procedures
NA
Change Management Procedure System inventory Hardening Standards Logging & Monitoring Standards
CMDB Reviews
The organisation keeps track of individual assets assigned in a CMDB (a spreadsheet), this is updated by Service Desk as they distribute and manage the assignment of them. This controls reviews that the assignment has been done correctly.
Evidence:
- List of CMDB changes since the last audit
- List of Service Desk tickets related to CMDB changes

Analysis:
- Validate that the CMDB changes have valid Service Desk number
- Validate Service Desk ticket followed the process in particular approvals and incident reports
- Visit the stock room and validate that items that show on the CMDB as pending assignment are visible

Output:
- Spreadsheet with the analysis
- Screenshots of the service desk tickets analysed
CMDB is updated and accurate
Service Desk tickets have followed the document process to the detail
NA
System inventory End Point CMDB Management Procedure
Code Reviews
Review the code that manages key functionalities to ensure SDLC standards are met
Input:
- List of application in the scope of the program and their key functionalities as per our SDLC procedure
- Reference to the software deployment tickets

Analysis:
- Ensure that all key functionalities have been tested before being deployed by at least two different people.

Output:
- Spreadsheet with the list of tickets and a check mark if they have been properly reviewed.
All key features have been contested by at least two people before being deployed.
NA
SDLC Procedures
Corporate Application Inventory
Trough the use of quarterly interviews with all teams in the organisation we aim keeping an update database of the applications that serve the business and the key teams responsible for their maintenance
Evidence:
- All interview records since the last audit
- Inventory database

Analysis:
- Compare updates on the inventory database against the interview conclusions

Output:
- Inventory records
- Spreadsheet with changes on the inventory database


- All areas of the organisation have been interviewed
- All changes reported have been reflected on the inventory
System inventory
Corporate DataFlow Inventory
Trough regular interviews understand what key data each team handles and how it flows (with particular focus on systems and people) thought the corporation and third parties.
Evidence:
- Records of interviews with all areas of the organisation where the involved data, systems, third parties and teams are documented
- GDPR data flow and inventory document

Analysis:
- Compare the conclusions of such meetings and validate they are reflected on the inventory document

Output:
- Copy of the interviews
- Spreadsheet with the analysis
- Meetings have taken place with all areas
- Conclusions are documented and reflected on the inventory document
Data Flow Analysis and Inventory
CRM Application - Account Reviews
Ensure that each user account in CRM belongs to the correct area and that each role has been granted for a ticket
Input:
- System logs that indicate account creations at the CRM system
- List of all tickets for CRM account management since the last audit

Analysis:
- For each log identify a ticket
- Review the ticket has followed our account management process

Output:
- Spreadsheet with analysis
All account creations have followed our procedures.
NA
Account Management Procedures Hardening Standards Logging & Monitoring Standards
Database Administrator Account Reviews
Ensure the database user logins on the following systems: CRM; ERM; Acme Drupal have not received login attempts from other sources than the application that they serve.
Input:
- Connection log for these three systems obtained from the central log collector
- DB account names used by the applications that use these databases

Analysis:
- For each log line; ensure no other account than the ones used by the application has successfully logged on the DB.

Output:
- Spreadsheet validating each database connection; a check mark if a fault is identified.
Only system applications service accounts have connected to the database.
NA
Account Management Procedures Hardening Standards Logging & Monitoring Standards
Datacenter Security
Ensure server rooms and datacenters comply with our policies and standards.
Input:
- Datacenter standards document

Analysis:
- Visit each site and make sure they comply with standards

Output:
- Spreadsheet with the analysis for each standard requirement a Yes / No.
%100 compliance
NA
Physical Security Standards
Destruction of Media
Ensure media that no longer is in use has been destroyed
Input:
- Inventory of all media due for destruction
- Records of the media that got destroyed by the third party

Analysis:
- For each item on the inventory there is a corresponding record by the supplier in charge of destroying media, where such record does not exist check mark the item.

Output:
- Spreadsheet with the analysis
All media tagged as no longer in use was destroyed and records of such destruction exists.
NA
Media Handling Policy
DMZ Firewall Reviews
Ensure that every rule in the DMZ has followed change management procedures correctly.
Input:
- Firewall change logs from central log collector
- List of network tickets from the ticketing system; column A includes the ticket number and column B the date.
- Policy change procedure

Analysis:
- For each firewall change on the logs identify a ticket
- Each ticket must have followed our procedures in detail

Output:
- Spreadsheet with tickets includes a checkbox if they have not followed the procedure
- Spreadsheet with firewall logs include a check mark if they have not a directi ticket asociated
All logs include a ticket and all tickets have followed the process correctly
NA
Hardening Standards Change Management Procedure Logging & Monitoring Standards
Dual Factor Authentication
Ensure key systems include 2-Factor Authentication
Input:
- List of key systems (CRM, ERM, VPN)
- Screenshot that shows 2-Factor is enabled

Analysis:
- Review 2-factor is enabled

Output:
- Screenshots
All systems use 2-factor authentication
NA
Hardening Standards
Employee Account Provisioning and Deprovisioning Review
This control ensures that the provisioning and deprovisioning of accounts on systems have followed our procedures in detail against our Active Directory which authenticates all user login attempts at all systems in the company. Additional reviews are performed on key systems.
Evidence:,
- List of employees that joined and left the company since the last audit,
- List of active AD user accounts,
,
Analysis:,
- Review no former employee has an active AD account,
- Review that new employee accounts have the Change Request ticket number as a description on their AD account, then review the ticket has followed the process on Service Desk including approvals,
,
Output:,
- Spreadsheet with the analysis,
- All dumps (employee and AD)
- No former employee has an account,
- The provisioning tickets reviewed have all followed the process
NA
Account Management Procedures Change Management Procedure
Employee contract reviews
NA
NA
Ensure employees have contracts and those are kept on esteban gmail account
HR Security Policy
Employee Interview to assess satisfaction
NA
NA
Interview all employees and ensure: wages are ok, work is ok, colleagues are ok
HR Security Policy
End-Point Reviews
Ensure that end-point hardening and device allocation processes are followed and enforce on all our end-point devices (laptops and mobile phones in particular)
Evidence:,
- List of employees that joined and left the organisation since the last audit,
- Asset inventory list,
,
Analysis:,
- Meet those new employees with service desk and validate their assigned devices correspond those documented on the inventory. Review if devices meet hardening standards.,
- Review the inventory and ensure there are receipts for the hardware returned by those employees that have left the organisation,
,
Output:,
- List of employees with a checkbox indicating if the tests are correct or not,
- PDF copies of hte receipts
All hardware must be allowed or removed with receipts that prove the exchange. All devices must follow hardening guides to the detail.
NA
Hardening Standards HR Security Policy System inventory
Endpoint Hardware Inventory
Control that end point systems (laptops and desktops) are built according to our organisational standards.
Input
- Random selection of at least %10 of all Endpoint systems
- Official build guide for Endpoint systems
- System inventory

Analysis:
- Validate the system is encrypted and asociated with the AD domain
- The system is part of the inventory

Output:
- Spreadsheet with the systems reviewed and result (correct / not correct)
All systems must be aligned with our build standards.
NA
Hardening Standards System inventory