Documents

Download Free Firewall failure plan checklist. Whether your firewall is hardware- or software-based it's a terrific target for experienced hackers and at some point it will fail. How you prepare for that failure and the actions you take following the failure are critical. This comprehensive Firewall failure plan checklist contains two sections: a checklist of critical information to have on hand and a list of techniques for troubleshooting both operational and non-operational firewall failures.

Download Page

The Institute of Internal Auditors recently releases Business Continuity Management Guidelines. This GTAG focuses on how business continuity management (BCM) is designed to enable business leaders to manage the level of risk the organization could encounter in the case of a natural or man-made disruptive event that affects the extended operability of the organization.

The guide includes:
- Disaster recovery planning for continuity of critical information technology infrastructure, and
- Business application systems.

Download Page

1. Unique user ID and confidential password required    
2. Additional identification required for remote access
3. "Help" screen access available to logged-on users only
4. Last session date and time message back to user at sign-on time
5. Exception reports for disruptions in either input or output
6. Session numbers for users/processors that are not constantly logged in
7. Notification to users of possible duplicate messages
8. Threshold of errors and consequential retransmission on the network related to management via automatic alarms
9. Encryption requirements    
10. Encryption key management controls
11. Message Authentication Code requirements for nonencrypted sensitive data transmission
12. System authentication at session start-up (wiretap controls)
13. Confirmation of host log-off to prevent line grabbing
14. Downloading controls for connected intelligent workstations
15. User priority designation process
16. Transaction handling for classified communications
17. Trace and snapshot facilities requirements
18. Log requirements for sensitive messages
19. Alternate path requirements between nodes
20. Contingency plans for hardware as well as all usual system requirements
21. Storage of critical messages in redundant locations
22. Packet recovery requirements
23. Physical access for workstations when units are not in use

What is an Audit Committee?
The Audit Committee is regarded as the cornerstone of the Board’s oversight process and has critical governance responsibilities related not only to public financial reporting, internal controls, and management of financial risks, but also to the oversight of an organization’s values and ethics

Audit Committees need to ensure that all those involved in the financial reporting and internal controls process understand their roles, and carry out their responsibilities in an efficient and effective manner Hence, Audit Committees operate at the junction between the Board of Directors and its external auditors, its internal auditors, and its executive management

Audit Committees form many of their judgments of management’s performance based largely on the information and feedback obtained from internal and external auditors. Hence, developing an effective working relationship with both external and internal auditors is essential for an Audit Committee to effectively fulfill its oversight responsibilities

This network assessment checklist is taken from Managing a Network Vulnerability Assessment  by Thomas R. Peltier, Justin Peltier and John A. Blackley.  What do you think? To much or?

1. Unique user ID and confidential password required    
2. Additional identification required for remote access
3. "Help" screen access available to logged-on users only
4. Last session date and time message back to user at sign-on time
5. Exception reports for disruptions in either input or output
6. Session numbers for users/processors that are not constantly logged in
7. Notification to users of possible duplicate messages
8. Threshold of errors and consequential retransmission on the network related to management via automatic alarms
9. Encryption requirements    
10. Encryption key management controls
11. Message Authentication Code requirements for nonencrypted sensitive data transmission
12. System authentication at session start-up (wiretap controls)

1. Policy Statement
Minimum Policy components and Sample BCP Policy

• # The opening Introduction or Overview statement section defines the purpose of the policy.
• # The Policy statement section defines the goals, metrics and responsibilities required to meet policy compliance. A statement of non-compliance penalty should also be included.
• # The Policy Leadership statement section defines the executive management officer responsible for oversight, implementation and compliance assurance of the policy.

2. Policy Integration
Lists how to integrate and enforce the BCP Policy

• # The Change Control Process supports and includes the Business Continuity Plan (BCP) Policy objectives
• # The BCP Policy is included in the metrics for performance and compensation for all levels of individual and “groups” in clear and specific terms.
• # Each task in the BCP is assigned to a specific individual. On a regular basis the individual is required to certify (sign) that they are a) aware of the assigned responsibility and b) that the task procedures work as documented.
• # Specific metrics and penalties are included in all Service Level Agreements (SLA's) and contracts sufficient to insure Business Continuity, Preparedness and compliance of BCP policy.

3. Plan Resiliency
Provides steps to ensure Plan flexibility

Data center audit or site review is one of mandatory activity during IT audit process. But most of IS auditor forget key activity that should be checked during the process. Here is simple audit checklist to be used:

1. Policies & Procedure
• Have computer center operating policies and procedures been written?
• Are they sufficiently descriptive in detail to guide the organization and operation?
• Do data center personnel aware to the policies and procedures?
• Are they kept up-to-date?

2. Personnel
• Are data control center personnel and operators' assignments rotated?
• Is an operating log maintained to record any significant events and action taken by the operator?
• Is the operator log inspected daily by management?

3. Incident handling
• Do the computer room operators know exactly what to do when the different types of fire emergencies occur?
• Do the other personnel know exactly what to do when fire emergencies occur?