Internal Controls
Internal Controls explain the activities we perform at our organisation to deal with Risks and Compliance Requirements. We document what they do, how we test them and what Policies, Standards and Procedures govern them.
60
0%
Current Internal Controls
0
0%
New Internal Controls
0
0%
Updated Internal Controls
Actions
|
Title | Objective | Audit Methodology | Audit Success Criteria | Maintenance Task | Policies |
---|---|---|---|---|---|---|
Fire and Motion Detectors
|
Ensure that fire and unauthorized access in branch offices was prevented and controlled
|
Input:
- Monthly maintenance report from our supplier Analysis: - Make sure the monthly service has been completed - Make sure none fire extinguishers is not expired. Evidence: - Screenshot of every fire extinguisher - Sensors report reviewed |
All fire detectors and motion detectors are operating fire extinguishers are not expired.
|
Our fire sensor supplier must perform a monthly report.
|
Physical Security Standards | |
Google Apps 2-Factor
|
|
Input:
- Google apps account security report Analysis: - Ensure all accounts use 2-factor Conclusion: - Screenshots |
Everyone must use 2factor
|
NA
|
Account Management Procedures Hardening Standards | |
GRC Team, Competences, Roles and Responsibilities
|
Ensure GRC has a competent team with clearly allocated Responsibilities and support from top management
|
Evidence:,
- Document with GRC Team Roles and Responsibilities and their reviews, , Analysis:, - Ensure the document exists, has been reviewed and properly approved, , Output:, - Review records and PDF copy of the latest approved document |
The analysis result is flawless
|
NA
|
Security Governance Policy | |
High Privilege Service Accounts
|
Ensure that passwords are kept confidential.
|
Input:
- Passman logs from the central log collector - List of tickets for the Passman queue; column A ticket number; column B date Analysis: - For each log ensure there is a ticket; if not check mark the item - For each ticket; ensure the process for privilege account has been followed Output: - Spreadsheet with analysis |
All access to privileged accounts have a ticket and all tickets have followed our standard procedures.
|
NA
|
Account Management Procedures Change Management Procedure Logging & Monitoring Standards | |
IDS Reviews
|
Ensure IDS signatures are up to date and trigger notifications
|
Input:
- IDS logs from our central log collector - Tickets for IDS queue Analysis: - Review every log that indicates signature updates has a matching ticket, if this is not the case check mark the item. - Review all tickets and ensure the right procedure has been followed Output - Spreadsheet with the analysis |
IDS have been updated according to our standards
|
NA
|
Hardening Standards | |
Incident Management Process Review
|
Ensure the incident management process for breaches is known to all affected parties and is handled correctly
|
Evidence:
- List of incidents from the Incident Module - Incident Policy and Contact List Analysis: - Ensure incidents have all been completed and none left without properly having completed the stage - Ensure the contact list has been updated with the right records and updated contacts - Ensure that incidents included disciplinary processes when applicable Output: - PDF of the contact list - List of incidents reviewed |
All sampled incidents have followed and completed all stages.
Contact list has updated contact information. Incidents lead to disciplinary actions and these have been properly recorded |
NA
|
Vulnerability and Incident Management GRC Contact List | |
Key GRC Components Inventory Reviews
|
through risk assessments we identify key assets, processes, third parties and document them. This control ensures the process is recurrently executed and updated.
|
Evidence:,
- List of assets which are missing a review, - List of risks (asset, third party and business) which are missing a review, - List of risks, , Analysis:, - Count how many assets have missing a review, - Count how many risks have missing reviews, - Review that risks have review-dates recurrence set to at most one year, - Count how many risks have been created in the last year, , Output:, - Spreadsheet with analysis |
- No asset or risk must have pending reviews,
- Risks must have been reviewed every year at latest, - At least three new risks have been created since the last year |
NA
|
Security Governance Policy | |
Log Reviews
|
Ensure Logging Systems are capturing logs from the systems in scope and the logging server has enabled protection against log tampering.
|
Evidence:
- List of documented risks - Logging Standards Policy - SIEM settings Analysis - For each documented risk identify the logs required to trigger an alert when the risk scenario is met - Ensure an alarm is triggered to GRC - Ensure logs that triggered the alarm are sufficient - Ensure SIEM settings for log tampering are enabled, this ensures logs can not be deleted even by an administrator using the user interface Output: - Spreadsheet with the analysis |
All documented risks are monitored and alarms trigger when their conditions are met
|
NA
|
Logging & Monitoring Standards Security Governance Policy System inventory | |
Log Reviews
|
Ensure Logging Systems are capturing logs from the systems in scope.
|
Input:
- Spreadsheet with the list of systems in scope - Logging Standards Policy Analysis - For each system in scope review logs are being received without interruptions - Review that rules as defined in our policy are configured and enabled Output: - Spreadsheet with the analysis |
All systems are logging as expected and all rules are configured and enabled.
|
NA
|
Hardening Standards Logging & Monitoring Standards System inventory | |
NDA and Policy Signing Reviews
|
Verify that employees and contractors have signed NDA and security policies.
|
Input:
- List of new employee since the last audit; login name in column A - HR to provide copies of the NDA and Contracts for this list of people Analysis: - Ensure each employees has an NDA and signed contract Output: - Spreadsheet with the analysis |
All employees have agreed and signed our NDA and contract.
|
NA
|
NDA Agreement HR Security Policy | |
Network Device Hardening Reviews
|
Ensure newly built equipments (physical or virtual) meet hardening standards
|
Evidence:,
- List of new kit implemented by Network Teams, - Hardening Standards, , Analysis:, - For a sample of new kits installed since the last audit review that the standards defined have been implemented on the original change request that drove the need for that equipment, - Review kit configurations configurations and compare against standards, , Output:, - List of kit installed since the last audit, - List with the checks completed against kit, clerly identify pass vs. failed checks |
All checks must pass
|
NA
|
Hardening Standards | |
Penetration Testing
|
Ensure penetration testing is performed against internal and external resources and findings are fixed as defined per our standards
|
Evidence:,
- List of systems in scope, - Last vulnerability scans reports since last audit, - List of change management tickets asociated with each vulnerability finding, , Analysis:, - Ensure all systems in scope have been scanned, - Ensure vulnerabilities have been assigned a ticket where applicable, - Ensure tickets have been dealt with within the specified time ranges, , Output:, - Spreadsheet with list of applications and checkbox / date of last scan, - Spreadsheet with list of findings and their asociated ticket, column indicating if properly addressed or not, - Screenshots of tickets, reports |
All systems scanned at the agreed periodicity, all findings dealt with correctly and on time
|
NA
|
Vulnerability and Incident Management | |
Policy Password Configuration
|
Ensure that passwords policies are properly enforced on key systems
|
Input:
- List of AD; CRM and ERM logs including system configuration changes - List of tickets for AD; CRM and ERM; column A ticket number; column B date - Screenshot with password policies for AD; CRM and ERM Analysis: - Ensure the current password policies are aligned with our standards - Review all system logs and ensure that for each log; there is a ticket. check mark if not. - Review all tickets and ensure our standard policies have been followed. Output: - Spreadsheet with analysis |
All systems in scope have the right password policy and changes have followed our procedures.
|
NA
|
Change Management Procedure Hardening Standards Logging & Monitoring Standards | |
Regular Vulnerability Scanning
|
Ensure that quarterlymonth a vulnerability scanning is executed.
|
Input:
- Last report from Security Metrics (PDF in original format) - The list of change tickets used to correct each "Critical" and "Urgent" finding Analysis: - Each "Critical" and "Urgent" finding must have a ticket - Each ticket must have a resolution within 30 days of being created Output: - A spreadsheet that lists all tickets and a checkbox on column B if they were processed within 30 days |
All findings from the last report have been corrected within 30 days of being identified.
|
Every month a Nessus scan must be executed against core systems (use templates on Nessus). Store this report as is later used for audits.
|
Vulnerability and Incident Management Hardening Standards | |
Rogue Wifi APs
|
Ensure no Rogue wifi networks exist on the office.
|
Input:
- None Analysis: - Walk the office with a Wifi scanner and log all APs in the area and their authentication mechanism - Ensure no open network exists and if they do, they do not connect to our network. Output - Wifi logs - Spreadsheet with analysis |
No open wifi AP exists connected to our organisation network
|
NA
|
Hardening Standards | |
Security Awareness Trainings
|
Ensure all our staff has been through our mandatory awareness training
|
Input:
- Awareness reports from eramba for our mandatory awareness training Analysis: - None Output: - Screenshot that shows compliance levels |
Compliance with our awareness program must be %100
|
NA
|
Security Governance Policy | |
Service Accounts Reviews
|
Review service accounts to ensure they are still valid and were created following standard procedures.
|
Input:
- List of AD accounts where the "password expiration field" is set to "never"; account name on column A; creation date on column B. - List of tickets for all AD changes Analysis: - For each account ensure there is a valid ticket; check mark the item if it has no valid ticket. Output: - Spreadsheet with analysis |
No service accounts without a valid ticket and expiration
|
NA
|
Account Management Procedures Change Management Procedure Hardening Standards | |
SIEM Review
|
Ensure SIEM is collecting logs, these logs are protected from deletion and shown only to those roles that have been allowed
|
Evidence:
- SIEM Standards Analysis: - Trough intereviews and evidence collection ensure that the standards have been enforced Output: - Screenshots, meeting minutes and their signoff |
All SIEM standards are enforced
|
NA
|
SIEM Standards | |
Software Deployment Reviews
|
On every release of software functional, test and security test cases must be defined and evidence of their testing must be stored. Every release requires a change management ticket which must include all this information and records. This controls ensures this process is followed in detail.
|
Evidence: ,
- Inventory of assets, - Tickets in Service Desk corresponding to software deployments , - Screenshots of the version of the application to review, , Analysis: , - Review the deployments for the software have followed the procedures in particular approvals and evidence that testing has been completed, , Conclusion: , - Spreadsheet with analysis |
All tested deployments have followed the stated procedure
|
NA
|
SDLC Procedures System inventory | |
Software Testing
|
|
Input:
- Testing case sheets Analysis: - Review how many bugs where found on each testing cases results since the last audit Conclusion: - Spreadsheet with analysis |
We should have consistently reduced the amount of bugs over time
|
NA
|
SDLC Procedures | |
Standard Server Build - Linux
|
Verify Linux Servers have been built as per our standards.
|
Input
- Random selection of %10 of all the linux system deployed since the last audit on a spreadsheet were column A includes the hostname of the system. - Dump of the output that the script included on this control generates when executed against that list. - System inventory Analysis: - None (the script does the analysis) - The system is part of the inventory Output: - Script output in CSV format |
All systems built since the last audit comply with our build standards
|
NA
|
Change Management Procedure Hardening Standards System inventory | |
Standard Server Build - Windows
|
Verify Windows Servers have been built as per our standards.
|
Input
- Random selection of %10 of all the windows system deployed since the last audit on a spreadsheet were column A includes the hostname of the system. - Dump of the output that the script included on this control generates when executed against that list. - System inventory Analysis: - None (the script does the analysis) - The system is part of the inventory Output: - Script output in CSV format |
All systems built since the last audit comply with our build standards
|
NA
|
Hardening Standards System inventory Change Management Procedure | |
Storage of Media
|
|
Input:
- Media Inventory log - Tickets for the Media queue Analysis: - Review the inventory log and ensure all items on record are stored - Review the inventory and ensure that each entry matches with a ticket and the ticket has followed the right procedures Output: - Spreadsheet with analysis |
Access to the room where media is stored must have been backed by a reason (to store, transport or delete media)
|
NA
|
Media Handling Policy | |
Supplier Vendor Assessments
|
Ensure suppliers have gone through the correct enrrolment process which includes a security and risk assesment.
|
Input:
- List of new suppliers since the last audit; login name in column A - List of vendor assessments and third party risks Analysis: - Ensure suppliers still work for us - Ensure each supplier has gone through a security assessment and risk analysis - Ensure with the point of contact for this supplier that the quality of their delivery has meet the agreements. Output: - Spreadsheet with the analysis |
All suppliers have gone through a security assesment
|
NA
|
Third Party Relationships Security Policy | |
System Patching
|
Critical Systems are patched in accordance with our policies.
|
Input:
- WSUS report with patching - Patching policies Analysis: - All critical systems are patched according to our policies and standards Output: - Spreadsheet with the analysis |
All critical patches have been applied in time
|
NA
|
Hardening Standards Vulnerability and Incident Management |