§ Review of SOPs/ Policy/ DOP
ü Review of SOPs and compliance
ü Review of Policies for various procedure and their compliance
ü Check whether DOP is defined for approval procedure
ü Review reporting structure and departmental chart
§ Review of Corporate policies
ü Password policy
ü E-mail policy
ü Security policy
ü Internet usage policy
ü Confidentiality policy
ü Data backup and recovery policy
ü Backup logs
ü Antivirus updates
§ Firewall management
ü Who owns the firewalls - is this defined?
ü Who is responsible for implementing the stated policies for each of the firewalls?
ü Who is responsible for day to day management of the firewall?
ü Who monitors the firewall for compliance with stated policies?
ü How security related incidents are reported to the appropriate Information Security staff?
ü Are there written procedures that specify how to react to different events, including containment and reporting procedures
§ Review of documents.
ü Network flow diagrams- any devices found out of network diagram?, any device removed but not updated in network diagram
ü Firewall standard configuration
ü Firewall configuration review and deficiency
§ Firewall security management
ü How many people have the administration account passwords? How are these controlled?
ü Logs: Enabled, reviewed, archived?
ü Backup and recovery procedures established for the firewall configuration, policies and relevant data
ü IDS in use?
ü Adequate backup power supplies
ü Firewall components located in areas where access is restricted only to authorized personnel
ü Version and patch level
ü Disclosure of private IP addresses
ü Network architecture and firewall settings
ü Access controls- administrator rights
ü Time synchronization- centralized?
ü Audit trails of logging access
ü Security configuration- IP spoofing prevention, DoS detection, blocking malicious mails, filtering private mail
ü Are there procedures to change the firewall policies? If so, what is the process?
ü How are these policies communicated throughout the organization?
ü Are remote access sessions encrypted via as SSH or similar
ü Event log analyzer or firewall analyzer application installed in organization?
§ Firewall rule set compliance (Standard policy)
ü Periodic firewall review
ü Change management process
ü New device checklist
ü Decommissioned device checklist
ü Vulnerability management
ü Continual improvement- update, reviews, audit trails
§ Security & Backup
ü Maintain a golden copy of Firewall-1, including patches
ü Review backup procedures and documentation
ü Review backup schedule
ü Determine if procedures are in place to recover the firewall system should a disruption of service occur
ü Review contingency plan
ü Contingency plan documentation
ü List of Hardware in IT dept & Active/ Inactive status
ü Controls over the active services in system
§ MIS Reports
ü Review MIS reports with their adequacy, accuracy and timeliness
Check whether relevant MIS reports are prepared which may help in decision making for the Management