Internal Controls
Internal Controls explain the activities we perform at our organisation to deal with Risks and Compliance Requirements. We document what they do, how we test them and what Policies, Standards and Procedures govern them.
60
0%
Current Internal Controls
0
0%
New Internal Controls
0
0%
Updated Internal Controls
|
Actions
|
Title | Objective | Audit Methodology | Audit Success Criteria | Maintenance Task | Policies |
|---|---|---|---|---|---|---|
|
AD Group Reviews
|
Ensure AD groups have been managed according to our policies.
|
Input:
- List of critical AD groups; group name in column A - Members for each group; column A group name; column B group member login name - Tickets for AD management queue - Logs from the central collector with all AD changes Analysis: - Review that all AD changes have a ticket assigned; if they do not have a ticket check mark the item - Review all tickets and ensure they have followed the standard procedure; if not check mark the item. Output: - Spreadsheet Analysis |
All AD changes have a ticket and all tickets have followed our standard procedures.
|
NA
|
Change Management Procedure Hardening Standards Account Management Procedures Logging & Monitoring Standards | |
|
Anti-Malware Software Reviews
|
Ensure antivirus/malware software is deployed and kept up to date on critical systems
|
Evidence: ,
- Inventory of systems and assets, - Screenshot from master AV software showing version of software and latest signature update, - List of all new employees since last audit, , Analysis:, - Randomly check on the inventory assets have AV deployed and updated to the latest signature, - Ensure the master AV system has the latest signature implemented, - Randomly select new emplpyees and interview them to ensure their systems have AV, are updated and can not be disabled , , Output:, - All provided evidence, - Spreadsheet with a list of employees and assets reviewed and a check if the test went ok |
All systems reviewed have AV installed, is updated and can not be disabled (in the case of non-admin systems)
|
NA
|
Hardening Standards | |
|
Application Hardening Standards
|
Verify applications and systems have been hardenened as per our standards.
|
Evidence:
- System inventory Analysis: - For a selection of systems that have not previously tested on the last audit ensure all hardening standard are enforced Output: - Spreadsheet with the analysis of systems vs. hardening checks - Screenshots for each system that proves hardening is enforced |
All tested systems and applications meet all our hardening standards where technically feasible
|
NA
|
Hardening Standards | |
|
Change Mgt Reviews
|
Review changes on linux systems have a corresponding ticket.
|
Input:
- List of systems in scope; column A the hostname of the system - Logs for all systems from the central log collector - List of tickets for the linux queue; column A ticket number; column B date Analysis: - For each log ensure there is a ticket; if there is no ticket check mark the log line - For each log with a ticket; review the ticket and ensure it follows our change procedures Output: - Two spreadsheets; one with logs and the other with tickets |
All system changes have a ticket and all tickets have followed our procedures
|
NA
|
Change Management Procedure Hardening Standards Logging & Monitoring Standards System inventory | |
|
CRM Application - Account Reviews
|
Ensure that each user account in CRM belongs to the correct area and that each role has been granted for a ticket
|
Input:
- System logs that indicate account creations at the CRM system - List of all tickets for CRM account management since the last audit Analysis: - For each log identify a ticket - Review the ticket has followed our account management process Output: - Spreadsheet with analysis |
All account creations have followed our procedures.
|
NA
|
Hardening Standards Account Management Procedures Logging & Monitoring Standards | |
|
Database Administrator Account Reviews
|
Ensure the database user logins on the following systems: CRM; ERM; Acme Drupal have not received login attempts from other sources than the application that they serve.
|
Input:
- Connection log for these three systems obtained from the central log collector - DB account names used by the applications that use these databases Analysis: - For each log line; ensure no other account than the ones used by the application has successfully logged on the DB. Output: - Spreadsheet validating each database connection; a check mark if a fault is identified. |
Only system applications service accounts have connected to the database.
|
NA
|
Hardening Standards Account Management Procedures Logging & Monitoring Standards | |
|
DMZ Firewall Reviews
|
Ensure that every rule in the DMZ has followed change management procedures correctly.
|
Input:
- Firewall change logs from central log collector - List of network tickets from the ticketing system; column A includes the ticket number and column B the date. - Policy change procedure Analysis: - For each firewall change on the logs identify a ticket - Each ticket must have followed our procedures in detail Output: - Spreadsheet with tickets includes a checkbox if they have not followed the procedure - Spreadsheet with firewall logs include a check mark if they have not a directi ticket asociated |
All logs include a ticket and all tickets have followed the process correctly
|
NA
|
Change Management Procedure Hardening Standards Logging & Monitoring Standards | |
|
Dual Factor Authentication
|
Ensure key systems include 2-Factor Authentication
|
Input:
- List of key systems (CRM, ERM, VPN) - Screenshot that shows 2-Factor is enabled Analysis: - Review 2-factor is enabled Output: - Screenshots |
All systems use 2-factor authentication
|
NA
|
Hardening Standards | |
|
End-Point Reviews
|
Ensure that end-point hardening and device allocation processes are followed and enforce on all our end-point devices (laptops and mobile phones in particular)
|
Evidence:,
- List of employees that joined and left the organisation since the last audit, - Asset inventory list, , Analysis:, - Meet those new employees with service desk and validate their assigned devices correspond those documented on the inventory. Review if devices meet hardening standards., - Review the inventory and ensure there are receipts for the hardware returned by those employees that have left the organisation, , Output:, - List of employees with a checkbox indicating if the tests are correct or not, - PDF copies of hte receipts |
All hardware must be allowed or removed with receipts that prove the exchange. All devices must follow hardening guides to the detail.
|
NA
|
Hardening Standards System inventory HR Security Policy | |
|
Endpoint Hardware Inventory
|
Control that end point systems (laptops and desktops) are built according to our organisational standards.
|
Input
- Random selection of at least %10 of all Endpoint systems - Official build guide for Endpoint systems - System inventory Analysis: - Validate the system is encrypted and asociated with the AD domain - The system is part of the inventory Output: - Spreadsheet with the systems reviewed and result (correct / not correct) |
All systems must be aligned with our build standards.
|
NA
|
Hardening Standards System inventory | |
|
Google Apps 2-Factor
|
|
Input:
- Google apps account security report Analysis: - Ensure all accounts use 2-factor Conclusion: - Screenshots |
Everyone must use 2factor
|
NA
|
Hardening Standards Account Management Procedures | |
|
IDS Reviews
|
Ensure IDS signatures are up to date and trigger notifications
|
Input:
- IDS logs from our central log collector - Tickets for IDS queue Analysis: - Review every log that indicates signature updates has a matching ticket, if this is not the case check mark the item. - Review all tickets and ensure the right procedure has been followed Output - Spreadsheet with the analysis |
IDS have been updated according to our standards
|
NA
|
Hardening Standards | |
|
Log Reviews
|
Ensure Logging Systems are capturing logs from the systems in scope.
|
Input:
- Spreadsheet with the list of systems in scope - Logging Standards Policy Analysis - For each system in scope review logs are being received without interruptions - Review that rules as defined in our policy are configured and enabled Output: - Spreadsheet with the analysis |
All systems are logging as expected and all rules are configured and enabled.
|
NA
|
Hardening Standards Logging & Monitoring Standards System inventory | |
|
Network Device Hardening Reviews
|
Ensure newly built equipments (physical or virtual) meet hardening standards
|
Evidence:,
- List of new kit implemented by Network Teams, - Hardening Standards, , Analysis:, - For a sample of new kits installed since the last audit review that the standards defined have been implemented on the original change request that drove the need for that equipment, - Review kit configurations configurations and compare against standards, , Output:, - List of kit installed since the last audit, - List with the checks completed against kit, clerly identify pass vs. failed checks |
All checks must pass
|
NA
|
Hardening Standards | |
|
Policy Password Configuration
|
Ensure that passwords policies are properly enforced on key systems
|
Input:
- List of AD; CRM and ERM logs including system configuration changes - List of tickets for AD; CRM and ERM; column A ticket number; column B date - Screenshot with password policies for AD; CRM and ERM Analysis: - Ensure the current password policies are aligned with our standards - Review all system logs and ensure that for each log; there is a ticket. check mark if not. - Review all tickets and ensure our standard policies have been followed. Output: - Spreadsheet with analysis |
All systems in scope have the right password policy and changes have followed our procedures.
|
NA
|
Change Management Procedure Hardening Standards Logging & Monitoring Standards | |
|
Regular Vulnerability Scanning
|
Ensure that quarterlymonth a vulnerability scanning is executed.
|
Input:
- Last report from Security Metrics (PDF in original format) - The list of change tickets used to correct each "Critical" and "Urgent" finding Analysis: - Each "Critical" and "Urgent" finding must have a ticket - Each ticket must have a resolution within 30 days of being created Output: - A spreadsheet that lists all tickets and a checkbox on column B if they were processed within 30 days |
All findings from the last report have been corrected within 30 days of being identified.
|
Every month a Nessus scan must be executed against core systems (use templates on Nessus). Store this report as is later used for audits.
|
Vulnerability and Incident Management Hardening Standards | |
|
Rogue Wifi APs
|
Ensure no Rogue wifi networks exist on the office.
|
Input:
- None Analysis: - Walk the office with a Wifi scanner and log all APs in the area and their authentication mechanism - Ensure no open network exists and if they do, they do not connect to our network. Output - Wifi logs - Spreadsheet with analysis |
No open wifi AP exists connected to our organisation network
|
NA
|
Hardening Standards | |
|
Service Accounts Reviews
|
Review service accounts to ensure they are still valid and were created following standard procedures.
|
Input:
- List of AD accounts where the "password expiration field" is set to "never"; account name on column A; creation date on column B. - List of tickets for all AD changes Analysis: - For each account ensure there is a valid ticket; check mark the item if it has no valid ticket. Output: - Spreadsheet with analysis |
No service accounts without a valid ticket and expiration
|
NA
|
Change Management Procedure Hardening Standards Account Management Procedures | |
|
Standard Server Build - Linux
|
Verify Linux Servers have been built as per our standards.
|
Input
- Random selection of %10 of all the linux system deployed since the last audit on a spreadsheet were column A includes the hostname of the system. - Dump of the output that the script included on this control generates when executed against that list. - System inventory Analysis: - None (the script does the analysis) - The system is part of the inventory Output: - Script output in CSV format |
All systems built since the last audit comply with our build standards
|
NA
|
Change Management Procedure Hardening Standards System inventory | |
|
Standard Server Build - Windows
|
Verify Windows Servers have been built as per our standards.
|
Input
- Random selection of %10 of all the windows system deployed since the last audit on a spreadsheet were column A includes the hostname of the system. - Dump of the output that the script included on this control generates when executed against that list. - System inventory Analysis: - None (the script does the analysis) - The system is part of the inventory Output: - Script output in CSV format |
All systems built since the last audit comply with our build standards
|
NA
|
Change Management Procedure Hardening Standards System inventory | |
|
System Patching
|
Critical Systems are patched in accordance with our policies.
|
Input:
- WSUS report with patching - Patching policies Analysis: - All critical systems are patched according to our policies and standards Output: - Spreadsheet with the analysis |
All critical patches have been applied in time
|
NA
|
Vulnerability and Incident Management Hardening Standards | |
|
VPN Access
|
VPN access is available to all our employees
|
Input:
- VPN server configurations - List of VPN connections from our central log collector since last audit - List of employees that left the organisation since last audit Analysis: - Configurations on VPN servers enforce that only AD valid accounts can login - The comparison in between VPN logs and employees that left the organisation show no ex-employee ever connected to the VPN Output: - Spreadsheet with the analysis |
Only employees can (and have) VPN to the organisation.
|
NA
|
Hardening Standards Logging & Monitoring Standards | |
|
WPA2 Secured Wifi Networks
|
Ensure Wifi networks comply with our standards
|
Input:
- List of AP from system inventory; column A hostname - One txt file per AP with all its configuration settings - Hardening guide for Wifi systems Analysis: - Review each AP config to ensure standards are met (authentication; encryption; Etc) Output: - Spreadsheet with the analysis; check mark on column B if the device is correctly configured |
All AP are aligned to the standards defined.
|
NA
|
Hardening Standards System inventory |