Internal Controls

Internal Controls explain the activities we perform at our organisation to deal with Risks and Compliance Requirements. We document what they do, how we test them and what Policies, Standards and Procedures govern them.

59

0%
Current Internal Controls

0

0%
New Internal Controls

0

0%
Updated Internal Controls
Actions
Title
Objective
Audit Methodology
Audit Success Criteria
Maintenance Task
Policies
Change Mgt Reviews
Review changes on linux systems have a corresponding ticket.
Input:
- List of systems in scope; column A the hostname of the system
- Logs for all systems from the central log collector
- List of tickets for the linux queue; column A ticket number; column B date

Analysis:
- For each log ensure there is a ticket; if there is no ticket check mark the log line
- For each log with a ticket; review the ticket and ensure it follows our change procedures

Output:
- Two spreadsheets; one with logs and the other with tickets
All system changes have a ticket and all tickets have followed our procedures
NA
Change Management Procedure System inventory Hardening Standards Logging & Monitoring Standards
CMDB Reviews
The organisation keeps track of individual assets assigned in a CMDB (a spreadsheet), this is updated by Service Desk as they distribute and manage the assignment of them. This controls reviews that the assignment has been done correctly.
Evidence:
- List of CMDB changes since the last audit
- List of Service Desk tickets related to CMDB changes

Analysis:
- Validate that the CMDB changes have valid Service Desk number
- Validate Service Desk ticket followed the process in particular approvals and incident reports
- Visit the stock room and validate that items that show on the CMDB as pending assignment are visible

Output:
- Spreadsheet with the analysis
- Screenshots of the service desk tickets analysed
CMDB is updated and accurate
Service Desk tickets have followed the document process to the detail
NA
System inventory End Point CMDB Management Procedure
Corporate Application Inventory
Trough the use of quarterly interviews with all teams in the organisation we aim keeping an update database of the applications that serve the business and the key teams responsible for their maintenance
Evidence:
- All interview records since the last audit
- Inventory database

Analysis:
- Compare updates on the inventory database against the interview conclusions

Output:
- Inventory records
- Spreadsheet with changes on the inventory database


- All areas of the organisation have been interviewed
- All changes reported have been reflected on the inventory
System inventory
End-Point Reviews
Ensure that end-point hardening and device allocation processes are followed and enforce on all our end-point devices (laptops and mobile phones in particular)
Evidence:,
- List of employees that joined and left the organisation since the last audit,
- Asset inventory list,
,
Analysis:,
- Meet those new employees with service desk and validate their assigned devices correspond those documented on the inventory. Review if devices meet hardening standards.,
- Review the inventory and ensure there are receipts for the hardware returned by those employees that have left the organisation,
,
Output:,
- List of employees with a checkbox indicating if the tests are correct or not,
- PDF copies of hte receipts
All hardware must be allowed or removed with receipts that prove the exchange. All devices must follow hardening guides to the detail.
NA
Hardening Standards HR Security Policy System inventory
Endpoint Hardware Inventory
Control that end point systems (laptops and desktops) are built according to our organisational standards.
Input
- Random selection of at least %10 of all Endpoint systems
- Official build guide for Endpoint systems
- System inventory

Analysis:
- Validate the system is encrypted and asociated with the AD domain
- The system is part of the inventory

Output:
- Spreadsheet with the systems reviewed and result (correct / not correct)
All systems must be aligned with our build standards.
NA
Hardening Standards System inventory
Log Reviews
Ensure Logging Systems are capturing logs from the systems in scope.
Input:
- Spreadsheet with the list of systems in scope
- Logging Standards Policy

Analysis
- For each system in scope review logs are being received without interruptions
- Review that rules as defined in our policy are configured and enabled

Output:
- Spreadsheet with the analysis
All systems are logging as expected and all rules are configured and enabled.
NA
Hardening Standards Logging & Monitoring Standards System inventory
Log Reviews
Ensure Logging Systems are capturing logs from the systems in scope and the logging server has enabled protection against log tampering.
Evidence:
- List of documented risks
- Logging Standards Policy
- SIEM settings

Analysis
- For each documented risk identify the logs required to trigger an alert when the risk scenario is met
- Ensure an alarm is triggered to GRC
- Ensure logs that triggered the alarm are sufficient
- Ensure SIEM settings for log tampering are enabled, this ensures logs can not be deleted even by an administrator using the user interface

Output:
- Spreadsheet with the analysis
All documented risks are monitored and alarms trigger when their conditions are met
NA
Logging & Monitoring Standards Security Governance Policy System inventory
Software Deployment Reviews
On every release of software functional, test and security test cases must be defined and evidence of their testing must be stored. Every release requires a change management ticket which must include all this information and records. This controls ensures this process is followed in detail.
Evidence: ,
- Inventory of assets,
- Tickets in Service Desk corresponding to software deployments ,
- Screenshots of the version of the application to review,
,
Analysis: ,
- Review the deployments for the software have followed the procedures in particular approvals and evidence that testing has been completed,
,
Conclusion: ,
- Spreadsheet with analysis
All tested deployments have followed the stated procedure
NA
SDLC Procedures System inventory
Standard Server Build - Linux
Verify Linux Servers have been built as per our standards.
Input
- Random selection of %10 of all the linux system deployed since the last audit on a spreadsheet were column A includes the hostname of the system.
- Dump of the output that the script included on this control generates when executed against that list.
- System inventory

Analysis:
- None (the script does the analysis)
- The system is part of the inventory

Output:
- Script output in CSV format
All systems built since the last audit comply with our build standards
NA
Change Management Procedure Hardening Standards System inventory
Standard Server Build - Windows
Verify Windows Servers have been built as per our standards.
Input
- Random selection of %10 of all the windows system deployed since the last audit on a spreadsheet were column A includes the hostname of the system.
- Dump of the output that the script included on this control generates when executed against that list.
- System inventory

Analysis:
- None (the script does the analysis)
- The system is part of the inventory

Output:
- Script output in CSV format
All systems built since the last audit comply with our build standards
NA
Hardening Standards System inventory Change Management Procedure
WPA2 Secured Wifi Networks
Ensure Wifi networks comply with our standards
Input:
- List of AP from system inventory; column A hostname
- One txt file per AP with all its configuration settings
- Hardening guide for Wifi systems

Analysis:
- Review each AP config to ensure standards are met (authentication; encryption; Etc)

Output:
- Spreadsheet with the analysis; check mark on column B if the device is correctly configured
All AP are aligned to the standards defined.
NA
Hardening Standards System inventory