Internal Controls
Internal Controls explain the activities we perform at our organisation to deal with Risks and Compliance Requirements. We document what they do, how we test them and what Policies, Standards and Procedures govern them.
59
0%
Current Internal Controls
0
0%
New Internal Controls
0
0%
Updated Internal Controls
|
Actions
|
Title | Objective | Audit Methodology | Audit Success Criteria | Maintenance Task | Policies |
|---|---|---|---|---|---|---|
|
Change Mgt Reviews
|
Review changes on linux systems have a corresponding ticket.
|
Input:
- List of systems in scope; column A the hostname of the system - Logs for all systems from the central log collector - List of tickets for the linux queue; column A ticket number; column B date Analysis: - For each log ensure there is a ticket; if there is no ticket check mark the log line - For each log with a ticket; review the ticket and ensure it follows our change procedures Output: - Two spreadsheets; one with logs and the other with tickets |
All system changes have a ticket and all tickets have followed our procedures
|
NA
|
Change Management Procedure System inventory Hardening Standards Logging & Monitoring Standards | |
|
CMDB Reviews
|
The organisation keeps track of individual assets assigned in a CMDB (a spreadsheet), this is updated by Service Desk as they distribute and manage the assignment of them. This controls reviews that the assignment has been done correctly.
|
Evidence:
- List of CMDB changes since the last audit - List of Service Desk tickets related to CMDB changes Analysis: - Validate that the CMDB changes have valid Service Desk number - Validate Service Desk ticket followed the process in particular approvals and incident reports - Visit the stock room and validate that items that show on the CMDB as pending assignment are visible Output: - Spreadsheet with the analysis - Screenshots of the service desk tickets analysed |
CMDB is updated and accurate
Service Desk tickets have followed the document process to the detail |
NA
|
System inventory End Point CMDB Management Procedure | |
|
Corporate Application Inventory
|
Trough the use of quarterly interviews with all teams in the organisation we aim keeping an update database of the applications that serve the business and the key teams responsible for their maintenance
|
Evidence:
- All interview records since the last audit - Inventory database Analysis: - Compare updates on the inventory database against the interview conclusions Output: - Inventory records - Spreadsheet with changes on the inventory database |
- All areas of the organisation have been interviewed
- All changes reported have been reflected on the inventory |
|
System inventory | |
|
End-Point Reviews
|
Ensure that end-point hardening and device allocation processes are followed and enforce on all our end-point devices (laptops and mobile phones in particular)
|
Evidence:,
- List of employees that joined and left the organisation since the last audit, - Asset inventory list, , Analysis:, - Meet those new employees with service desk and validate their assigned devices correspond those documented on the inventory. Review if devices meet hardening standards., - Review the inventory and ensure there are receipts for the hardware returned by those employees that have left the organisation, , Output:, - List of employees with a checkbox indicating if the tests are correct or not, - PDF copies of hte receipts |
All hardware must be allowed or removed with receipts that prove the exchange. All devices must follow hardening guides to the detail.
|
NA
|
Hardening Standards HR Security Policy System inventory | |
|
Endpoint Hardware Inventory
|
Control that end point systems (laptops and desktops) are built according to our organisational standards.
|
Input
- Random selection of at least %10 of all Endpoint systems - Official build guide for Endpoint systems - System inventory Analysis: - Validate the system is encrypted and asociated with the AD domain - The system is part of the inventory Output: - Spreadsheet with the systems reviewed and result (correct / not correct) |
All systems must be aligned with our build standards.
|
NA
|
Hardening Standards System inventory | |
|
Log Reviews
|
Ensure Logging Systems are capturing logs from the systems in scope.
|
Input:
- Spreadsheet with the list of systems in scope - Logging Standards Policy Analysis - For each system in scope review logs are being received without interruptions - Review that rules as defined in our policy are configured and enabled Output: - Spreadsheet with the analysis |
All systems are logging as expected and all rules are configured and enabled.
|
NA
|
Hardening Standards Logging & Monitoring Standards System inventory | |
|
Log Reviews
|
Ensure Logging Systems are capturing logs from the systems in scope and the logging server has enabled protection against log tampering.
|
Evidence:
- List of documented risks - Logging Standards Policy - SIEM settings Analysis - For each documented risk identify the logs required to trigger an alert when the risk scenario is met - Ensure an alarm is triggered to GRC - Ensure logs that triggered the alarm are sufficient - Ensure SIEM settings for log tampering are enabled, this ensures logs can not be deleted even by an administrator using the user interface Output: - Spreadsheet with the analysis |
All documented risks are monitored and alarms trigger when their conditions are met
|
NA
|
Logging & Monitoring Standards Security Governance Policy System inventory | |
|
Software Deployment Reviews
|
On every release of software functional, test and security test cases must be defined and evidence of their testing must be stored. Every release requires a change management ticket which must include all this information and records. This controls ensures this process is followed in detail.
|
Evidence: ,
- Inventory of assets, - Tickets in Service Desk corresponding to software deployments , - Screenshots of the version of the application to review, , Analysis: , - Review the deployments for the software have followed the procedures in particular approvals and evidence that testing has been completed, , Conclusion: , - Spreadsheet with analysis |
All tested deployments have followed the stated procedure
|
NA
|
SDLC Procedures System inventory | |
|
Standard Server Build - Linux
|
Verify Linux Servers have been built as per our standards.
|
Input
- Random selection of %10 of all the linux system deployed since the last audit on a spreadsheet were column A includes the hostname of the system. - Dump of the output that the script included on this control generates when executed against that list. - System inventory Analysis: - None (the script does the analysis) - The system is part of the inventory Output: - Script output in CSV format |
All systems built since the last audit comply with our build standards
|
NA
|
Change Management Procedure Hardening Standards System inventory | |
|
Standard Server Build - Windows
|
Verify Windows Servers have been built as per our standards.
|
Input
- Random selection of %10 of all the windows system deployed since the last audit on a spreadsheet were column A includes the hostname of the system. - Dump of the output that the script included on this control generates when executed against that list. - System inventory Analysis: - None (the script does the analysis) - The system is part of the inventory Output: - Script output in CSV format |
All systems built since the last audit comply with our build standards
|
NA
|
Hardening Standards System inventory Change Management Procedure | |
|
WPA2 Secured Wifi Networks
|
Ensure Wifi networks comply with our standards
|
Input:
- List of AP from system inventory; column A hostname - One txt file per AP with all its configuration settings - Hardening guide for Wifi systems Analysis: - Review each AP config to ensure standards are met (authentication; encryption; Etc) Output: - Spreadsheet with the analysis; check mark on column B if the device is correctly configured |
All AP are aligned to the standards defined.
|
NA
|
Hardening Standards System inventory |