Internal Controls
Internal Controls explain the activities we perform at our organisation to deal with Risks and Compliance Requirements. We document what they do, how we test them and what Policies, Standards and Procedures govern them.
60
0%
Current Internal Controls
0
0%
New Internal Controls
0
0%
Updated Internal Controls
|
Actions
|
Title | Objective | Audit Methodology | Audit Success Criteria | Maintenance Task | Policies |
|---|---|---|---|---|---|---|
|
AD Group Reviews
|
Ensure AD groups have been managed according to our policies.
|
Input:
- List of critical AD groups; group name in column A - Members for each group; column A group name; column B group member login name - Tickets for AD management queue - Logs from the central collector with all AD changes Analysis: - Review that all AD changes have a ticket assigned; if they do not have a ticket check mark the item - Review all tickets and ensure they have followed the standard procedure; if not check mark the item. Output: - Spreadsheet Analysis |
All AD changes have a ticket and all tickets have followed our standard procedures.
|
NA
|
Account Management Procedures Hardening Standards Logging & Monitoring Standards Change Management Procedure | |
|
Backups
|
Ensure Critical Systems (ERP and CRM) have backups and restores have been tested as per policies and standards.
|
Input:
- List of planned restored tests; column A system; column B planned restore test. - List of backup configuration from Networker for each system in scope - List of tickets on the Backup queue Analysis: - Ensure systems in scope have appropriate backup configured - Ensure that restores were completed as schedulled and tickets indicate the process has been properly followed. Output: - Spreadsheet with the analysis |
All systems in scope have backup configurations and test restores have been executed as planned.
|
NA
|
Backup Policies Change Management Procedure | |
|
Change Mgt Reviews
|
Review changes on linux systems have a corresponding ticket.
|
Input:
- List of systems in scope; column A the hostname of the system - Logs for all systems from the central log collector - List of tickets for the linux queue; column A ticket number; column B date Analysis: - For each log ensure there is a ticket; if there is no ticket check mark the log line - For each log with a ticket; review the ticket and ensure it follows our change procedures Output: - Two spreadsheets; one with logs and the other with tickets |
All system changes have a ticket and all tickets have followed our procedures
|
NA
|
Change Management Procedure System inventory Hardening Standards Logging & Monitoring Standards | |
|
DMZ Firewall Reviews
|
Ensure that every rule in the DMZ has followed change management procedures correctly.
|
Input:
- Firewall change logs from central log collector - List of network tickets from the ticketing system; column A includes the ticket number and column B the date. - Policy change procedure Analysis: - For each firewall change on the logs identify a ticket - Each ticket must have followed our procedures in detail Output: - Spreadsheet with tickets includes a checkbox if they have not followed the procedure - Spreadsheet with firewall logs include a check mark if they have not a directi ticket asociated |
All logs include a ticket and all tickets have followed the process correctly
|
NA
|
Hardening Standards Change Management Procedure Logging & Monitoring Standards | |
|
Employee Account Provisioning and Deprovisioning Review
|
This control ensures that the provisioning and deprovisioning of accounts on systems have followed our procedures in detail against our Active Directory which authenticates all user login attempts at all systems in the company. Additional reviews are performed on key systems.
|
Evidence:,
- List of employees that joined and left the company since the last audit, - List of active AD user accounts, , Analysis:, - Review no former employee has an active AD account, - Review that new employee accounts have the Change Request ticket number as a description on their AD account, then review the ticket has followed the process on Service Desk including approvals, , Output:, - Spreadsheet with the analysis, - All dumps (employee and AD) |
- No former employee has an account,
- The provisioning tickets reviewed have all followed the process |
NA
|
Account Management Procedures Change Management Procedure | |
|
High Privilege Service Accounts
|
Ensure that passwords are kept confidential.
|
Input:
- Passman logs from the central log collector - List of tickets for the Passman queue; column A ticket number; column B date Analysis: - For each log ensure there is a ticket; if not check mark the item - For each ticket; ensure the process for privilege account has been followed Output: - Spreadsheet with analysis |
All access to privileged accounts have a ticket and all tickets have followed our standard procedures.
|
NA
|
Account Management Procedures Change Management Procedure Logging & Monitoring Standards | |
|
Policy Password Configuration
|
Ensure that passwords policies are properly enforced on key systems
|
Input:
- List of AD; CRM and ERM logs including system configuration changes - List of tickets for AD; CRM and ERM; column A ticket number; column B date - Screenshot with password policies for AD; CRM and ERM Analysis: - Ensure the current password policies are aligned with our standards - Review all system logs and ensure that for each log; there is a ticket. check mark if not. - Review all tickets and ensure our standard policies have been followed. Output: - Spreadsheet with analysis |
All systems in scope have the right password policy and changes have followed our procedures.
|
NA
|
Change Management Procedure Hardening Standards Logging & Monitoring Standards | |
|
Service Accounts Reviews
|
Review service accounts to ensure they are still valid and were created following standard procedures.
|
Input:
- List of AD accounts where the "password expiration field" is set to "never"; account name on column A; creation date on column B. - List of tickets for all AD changes Analysis: - For each account ensure there is a valid ticket; check mark the item if it has no valid ticket. Output: - Spreadsheet with analysis |
No service accounts without a valid ticket and expiration
|
NA
|
Account Management Procedures Change Management Procedure Hardening Standards | |
|
Standard Server Build - Linux
|
Verify Linux Servers have been built as per our standards.
|
Input
- Random selection of %10 of all the linux system deployed since the last audit on a spreadsheet were column A includes the hostname of the system. - Dump of the output that the script included on this control generates when executed against that list. - System inventory Analysis: - None (the script does the analysis) - The system is part of the inventory Output: - Script output in CSV format |
All systems built since the last audit comply with our build standards
|
NA
|
Change Management Procedure Hardening Standards System inventory | |
|
Standard Server Build - Windows
|
Verify Windows Servers have been built as per our standards.
|
Input
- Random selection of %10 of all the windows system deployed since the last audit on a spreadsheet were column A includes the hostname of the system. - Dump of the output that the script included on this control generates when executed against that list. - System inventory Analysis: - None (the script does the analysis) - The system is part of the inventory Output: - Script output in CSV format |
All systems built since the last audit comply with our build standards
|
NA
|
Hardening Standards System inventory Change Management Procedure |