Internal Controls
Internal Controls explain the activities we perform at our organisation to deal with Risks and Compliance Requirements. We document what they do, how we test them and what Policies, Standards and Procedures govern them.
60
0%
Current Internal Controls
0
0%
New Internal Controls
0
0%
Updated Internal Controls
|
Actions
|
Title | Objective | Audit Methodology | Audit Success Criteria | Maintenance Task | Policies |
|---|---|---|---|---|---|---|
|
AD Group Reviews
|
Ensure AD groups have been managed according to our policies.
|
Input:
- List of critical AD groups; group name in column A - Members for each group; column A group name; column B group member login name - Tickets for AD management queue - Logs from the central collector with all AD changes Analysis: - Review that all AD changes have a ticket assigned; if they do not have a ticket check mark the item - Review all tickets and ensure they have followed the standard procedure; if not check mark the item. Output: - Spreadsheet Analysis |
All AD changes have a ticket and all tickets have followed our standard procedures.
|
NA
|
Account Management Procedures Hardening Standards Logging & Monitoring Standards Change Management Procedure | |
|
Change Mgt Reviews
|
Review changes on linux systems have a corresponding ticket.
|
Input:
- List of systems in scope; column A the hostname of the system - Logs for all systems from the central log collector - List of tickets for the linux queue; column A ticket number; column B date Analysis: - For each log ensure there is a ticket; if there is no ticket check mark the log line - For each log with a ticket; review the ticket and ensure it follows our change procedures Output: - Two spreadsheets; one with logs and the other with tickets |
All system changes have a ticket and all tickets have followed our procedures
|
NA
|
Change Management Procedure System inventory Hardening Standards Logging & Monitoring Standards | |
|
CRM Application - Account Reviews
|
Ensure that each user account in CRM belongs to the correct area and that each role has been granted for a ticket
|
Input:
- System logs that indicate account creations at the CRM system - List of all tickets for CRM account management since the last audit Analysis: - For each log identify a ticket - Review the ticket has followed our account management process Output: - Spreadsheet with analysis |
All account creations have followed our procedures.
|
NA
|
Account Management Procedures Hardening Standards Logging & Monitoring Standards | |
|
Database Administrator Account Reviews
|
Ensure the database user logins on the following systems: CRM; ERM; Acme Drupal have not received login attempts from other sources than the application that they serve.
|
Input:
- Connection log for these three systems obtained from the central log collector - DB account names used by the applications that use these databases Analysis: - For each log line; ensure no other account than the ones used by the application has successfully logged on the DB. Output: - Spreadsheet validating each database connection; a check mark if a fault is identified. |
Only system applications service accounts have connected to the database.
|
NA
|
Account Management Procedures Hardening Standards Logging & Monitoring Standards | |
|
DMZ Firewall Reviews
|
Ensure that every rule in the DMZ has followed change management procedures correctly.
|
Input:
- Firewall change logs from central log collector - List of network tickets from the ticketing system; column A includes the ticket number and column B the date. - Policy change procedure Analysis: - For each firewall change on the logs identify a ticket - Each ticket must have followed our procedures in detail Output: - Spreadsheet with tickets includes a checkbox if they have not followed the procedure - Spreadsheet with firewall logs include a check mark if they have not a directi ticket asociated |
All logs include a ticket and all tickets have followed the process correctly
|
NA
|
Hardening Standards Change Management Procedure Logging & Monitoring Standards | |
|
High Privilege Service Accounts
|
Ensure that passwords are kept confidential.
|
Input:
- Passman logs from the central log collector - List of tickets for the Passman queue; column A ticket number; column B date Analysis: - For each log ensure there is a ticket; if not check mark the item - For each ticket; ensure the process for privilege account has been followed Output: - Spreadsheet with analysis |
All access to privileged accounts have a ticket and all tickets have followed our standard procedures.
|
NA
|
Account Management Procedures Change Management Procedure Logging & Monitoring Standards | |
|
Log Reviews
|
Ensure Logging Systems are capturing logs from the systems in scope.
|
Input:
- Spreadsheet with the list of systems in scope - Logging Standards Policy Analysis - For each system in scope review logs are being received without interruptions - Review that rules as defined in our policy are configured and enabled Output: - Spreadsheet with the analysis |
All systems are logging as expected and all rules are configured and enabled.
|
NA
|
Hardening Standards Logging & Monitoring Standards System inventory | |
|
Log Reviews
|
Ensure Logging Systems are capturing logs from the systems in scope and the logging server has enabled protection against log tampering.
|
Evidence:
- List of documented risks - Logging Standards Policy - SIEM settings Analysis - For each documented risk identify the logs required to trigger an alert when the risk scenario is met - Ensure an alarm is triggered to GRC - Ensure logs that triggered the alarm are sufficient - Ensure SIEM settings for log tampering are enabled, this ensures logs can not be deleted even by an administrator using the user interface Output: - Spreadsheet with the analysis |
All documented risks are monitored and alarms trigger when their conditions are met
|
NA
|
Logging & Monitoring Standards Security Governance Policy System inventory | |
|
Policy Password Configuration
|
Ensure that passwords policies are properly enforced on key systems
|
Input:
- List of AD; CRM and ERM logs including system configuration changes - List of tickets for AD; CRM and ERM; column A ticket number; column B date - Screenshot with password policies for AD; CRM and ERM Analysis: - Ensure the current password policies are aligned with our standards - Review all system logs and ensure that for each log; there is a ticket. check mark if not. - Review all tickets and ensure our standard policies have been followed. Output: - Spreadsheet with analysis |
All systems in scope have the right password policy and changes have followed our procedures.
|
NA
|
Change Management Procedure Hardening Standards Logging & Monitoring Standards | |
|
VPN Access
|
VPN access is available to all our employees
|
Input:
- VPN server configurations - List of VPN connections from our central log collector since last audit - List of employees that left the organisation since last audit Analysis: - Configurations on VPN servers enforce that only AD valid accounts can login - The comparison in between VPN logs and employees that left the organisation show no ex-employee ever connected to the VPN Output: - Spreadsheet with the analysis |
Only employees can (and have) VPN to the organisation.
|
NA
|
Hardening Standards Logging & Monitoring Standards |