§  Review of SOPs/ Policy/ DOP


ü  Review of SOPs and compliance

ü  Review of Policies for various procedure and their compliance

ü  Check whether DOP is defined for approval procedure

ü  Review reporting structure and departmental chart


§  Review of Corporate policies


ü  Password policy

ü  E-mail policy

ü  Security policy

ü  Internet usage policy

ü  Confidentiality policy

ü  Data backup and recovery policy


§  Snapshots


ü  Backup logs

ü  Antivirus updates


§  Firewall management


ü  Who owns the firewalls - is this defined?

ü  Who is responsible for implementing the stated policies for each of the firewalls?

ü  Who is responsible for day to day management of the firewall?

ü  Who monitors the firewall for compliance with stated policies?

ü  How security related incidents are reported to the appropriate Information Security staff?

ü  Are there written procedures that specify how to react to different events, including containment and reporting procedures


§  Review of documents.


ü  Network flow diagrams- any devices found out of network diagram?, any device removed but not updated in network diagram

ü  Firewall standard configuration

ü  Firewall configuration review and deficiency


§  Firewall security management


ü  How many people have the administration account passwords? How are these controlled?  

ü  Logs: Enabled, reviewed, archived?

ü  Backup and recovery procedures established for the firewall configuration, policies and relevant data

ü  IDS in use?

ü  Adequate backup power supplies

ü  Firewall components located in areas where access is restricted only to authorized personnel

ü  Version and patch level

ü  Disclosure of private IP addresses

ü  Network architecture and firewall settings

ü  Access controls- administrator rights

ü  Time synchronization- centralized?

ü  Audit trails of logging access

ü  Security configuration- IP spoofing prevention, DoS detection, blocking malicious mails, filtering private mail

ü  Are there procedures to change the firewall policies?  If so, what is the process?

ü  How are these policies communicated throughout the organization?

ü  Are remote access sessions encrypted via as SSH or similar

ü  Event log analyzer or firewall analyzer application installed in organization?


§  Firewall rule set compliance (Standard policy)


ü  Periodic firewall review

ü  Change management process

ü  New device checklist

ü  Decommissioned device checklist

ü  Vulnerability management

ü  Continual improvement- update, reviews, audit trails


§  Security & Backup


ü  Maintain a golden copy of Firewall-1, including patches

ü  Review backup procedures and documentation

ü  Review backup schedule

ü  Determine if procedures are in place to recover the firewall system should a disruption of service occur

ü  Review contingency plan

ü  Contingency plan documentation

ü  List of Hardware in IT dept & Active/ Inactive status

ü  Controls over the active services in system


§  MIS Reports


ü  Review MIS reports with their adequacy, accuracy and timeliness

Check whether relevant MIS reports are prepared which may help in decision making for the Management