Google

Tuesday, February 13, 2007

Firewall audit – simple guide

FIREWALL ADMINISTRATION
Interview the firewall administrator and ask them about the rules. Some administrators just rely on the rules set by the vendor. Some can even give you a lecture on firewall. From the interview you can roughly determine the knowledge of the administrator and the level of reliance on the vendor.

Obtain the standards / guideline / policy related to firewall. Determine the adherence to the standards / guideline / policy documented. You will be surprised that sometimes the policies are just there for the sake of documenting but not implemented.

FIREWALL CONFIGURATION
When reviewing the rules: -

Look at the remarks column to determine the purpose of the rules. Sometimes the column is left blank and this is a bad practice.

Look for ftp or telnet services allowed. Determine the reason for allowing the services to be opened. Where possible, secure ftp and secure telnet via secure shell or SSH should be used to replace the ftp and telnet services.

Firewall rules should be specifically defined i.e. only required source, destination and services or ports required should be defined in the rules.

FIREWALL BACKUP
A set of firewall rules and configuration should be kept at the offsite storage to facilitate the recovery process.


FIREWALL LOG
Depending on the criticality and level of services provided, the logs should be reviewed accordingly. For example in an organisation that provides 24 hours Internet banking, the log review should also be more regular than organisations that just provide a static web page.

Labels:

technorati tags:

Monday, February 12, 2007

Auditing General IT controls - Audit scope

IT Management

Review of: -
Organisation Structure
Job Descriptions
Training Records
IT Plan
IT Committee
IT Budget – training and CAPEX
IT Policies
Project Management
Risk ManagementInsurance

IT Security

Review of: -
IT Security Policy
Network Security
Virus Protection
Software LicensingPatch Management

IT Operations

Review of: -
Backup process – onsite, offsite
Backup policy, strategy
Tape management – labelling, inventory, disposal
Physical security of Computer Room / Data Centre
Environmental controls of Computer Room / Data Centre
IT Procedures, operations manual

BCP

Review of: -
Physical security of DR site
BCP Plan
BCP Infrastructure
BCP testing – test plan, script
BCP Committee

Change Management
Review of: -
Change Management Procedures
Service Request Notes – identify long outstanding issues
UAT process

Labels:

technorati tags: