Professional Documents
Culture Documents
Improper or unauthorized use of system To determine that the audit team has a clear Develop a security policy manual to assist
utilities understanding of network components and management in their detection of
Lack of backups and contingency planning interfaces that may impact the logical unauthorized activity.
1. Operating Systems increases the risk of being unable to security of specific servers and Make daily maintenance activities such as
continue processing following a disaster workstations. computer start-up procedures and daily data
Poor help desk functions To ensure that existing operating system back-up procedures to ensure management
Delays and disruptions in processing due to security parameters are configured to safety.
wrong configuration parameters secure settings and in relevant corporate Evaluate current operating system
policies and standards. configuration settings to ensure that the
To determine whether security policies are settings are in compliance with relevant
in place to ensure that only authorized corporate policies and standards and
persons are granted access to operating conform to best practices.
system.
Corrupt file due to hardware failure To identify and help fix potential problems Ensure that only the database administrator
Unauthorized access of database system with an enterprise's backup systems has the capability to change or modify any
2. Databases / Files / Records Files and records do not have backup and procedures. transactions in the database system.
To verify whether only authorized personnel Examine the entire backup process using
can manage the database system of the the backup audit to look for the inefficiencies
company. and reasons for failure.
To ensure that data backup and Identify and manage data update processes
restore procedures occur as intended.
Misappropriation of assets To ensure that roles and responsibilities for Use common physical controls to safeguard
Copying or viewing of sensitive or security management have been clearly and assets such as locked doors, CCTVs,
confidential information appropriately defined. intruder alarms, combination keypads, and
3. IT Organizational Structure Unauthorized access of IT services To prevent unauthorized access and security guards.
interference to IT services. Obtain documentation listing all individuals
To ensure that the management supervise with access to certain room or information.
the actions of its employees to determine Evaluate each employee to identify their
whether the assets of the company are strengths and weaknesses and determine if
accounted in order. the skills of each employee has line up with
his or her current work responsibilities.
Virus infestation To verify that effective management policies Examine disks or CDs transferred between
System and hardware failure and procedures are in place to prevent the workgroups to determine if that contain
4. Computer Center Security / Disaster Loss of assets due to fortuitous events, introduction and spread of destructive viruses.
Recovery Plan such as fire, flood, or earthquake objects. Make a test of physical construction, fire
Human intervention (e.g. sabotage) To ensure insurance coverage and detection, access control, and back-up
documentation are adequate in case of power supply.
failure. Check resources of supplies and documents
to make sure these are stored off-site.
Insufficient time period for one or more To ensure that existing policies and Identify the procedures in place to ensure
phases standards are applicable throughout the compliance with relevant corporate security
5. New System Development Unwritten information processing environment. policies and standards.
Badly done cost-benefit analysis To determine whether all systems are in Check if corporate security policies and
Incomplete or wrong information relating to compliance with appropriate policies and standards are applicable to the
the schedule of carrying out and necessary standards. environment.
resources To ensure that end-users are aware of Tell the security administration personnel to
Unaware end-users may not use the system appropriate corporate security policies and be aware of corporate security policies and
properly standards and are informed of their standards for the operating environment
individual responsibilities. under review.
To ensure that the cost does not exceed the Assess the risk to predict all situations
benefits to be derived from developing new which could exert bad influence on the
systems. project carrying out.
Lack of capability to maintain the system To keep equipment, machines and the work Implement a risk-based
Failure of machines and equipment to environment safe and reliable. maintenance process to make sure that the
6. System / Program Maintenance operate efficiently To ensure that the management complies total risk of failure is minimized across the
Potentially liability exposure of on-the-job with all the requirements necessary to facility in the most economical way.
accidents due to defective equipment. conduct an operation. Make different care strategies such as
Non-compliance with laws and regulations To determine whether procurement corrective maintenance, preventive
Not licensed software may cause an error to procedures are in place to carry out safe maintenance, and condition-based
the system maintenance. maintenance.
To verify the software used by the company Make a regular inspection of equipment and
is licensed. machine before using it on operation.
Review the software licensing maintenance
to make sure that it is compatible with the
system.
Provide a written report, complete with
recommendations for improvement,
detailing the results of the maintenance
audit and review.
Interception of network messages To verify the security and integrity of Review security procedures governing the
Insider threat financial transactions by determining that administration of data encryption keys.
7. Networks and Data Communication Distributed Denial of Service Attacks (DDoS network controls can prevent and detect Establish a firewall to assess that only
(Internet & Intranet) Attacks) illegal access both internally and from the authorized traffic between organization and
internet. outside are passing through the wall.
To assess an intrusion prevention system Require a digital certificate to authenticate
(IPS) with deep packet inspection (DPI) is in the sender of the message.
place for organizations that are vulnerable Use a request-response technique to control
to DDoS Attacks. a message from the sender and a response
To prevent data loss and mitigate insider from the receiver are sent at synchronized
threat. intervals.
Educate employees and establish
accountability with managers.
Security and confidentiality risks To focus primarily on solving business- Allocate data across a more extensive
8. Electronic Commerce (E-Commerce) / Hacking related problems to achieve cost savings variation of communicating protocols and
Electronic Data Interchange (EDI) Virus and worm attacks measure. safety standards.
Costly to implement To ensure short-term data are deleted Use strong passwords to protect the data.
immediately to avoid information theft. Plan thoroughly the implementation of EDI
To ensure that only authorized employees and E-commerce to determine the amount
have the access to business computers. of cost.
To keep systems secure with high security Authenticate third party security controls.
and password protected.
Security attack To ensure that only the owner of the PC has Install anti-virus, firewall, and anti-spyware.
Unauthorized access the access. Secure the computer on which data resides
Password cracking To secure that the computer is password in a locked room.
9. Stand-Alone PCs Malware and Spyware protected. Protect the computer with a password.
To determine whether Windows Encrypting Restrict access to data to project personnel
File System is built-on the operating system using the security features available via
of the computer. operating systems.
Install Windows Encrypting File System to
enable data encryption to secure the entire
system.
References:
http://www.sfisaca.org/download/gensecaudpgm.pdf?fbclid=IwAR0xmaXpMIsVV-kyp1Lji7_Td-TCRiR9W4u8_JmBNVFfHwNVnmRJg3VHBss
https://www.undp.org/content/dam/albania/docs/STAR/IT%20AUDIT%20MANUAL.pdf
https://onlinelibrary.wiley.com/doi/pdf/10.1002/9781119203728.app2?fbclid=IwAR3ZwMtT1qaw-zX5sxmC44HFJ7TuWO37RvVQ4qqBsbzbm3303SUmk8t6R3w&
https://lbj.utexas.edu/sites/default/files/file/profdev/candt/2013CAI/IIIB_RICE_Digital_AccessControls.pdf?fbclid=IwAR21Eb54FCC8TYRnqcReF3cYz3QVCcYBvOJ1gBQaWecQd_Noq-mDwWPlEOI
https://slideplayer.com/slide/6227430/
https://slideplayer.com/slide/7454974/
https://pdfs.semanticscholar.org/150a/6ad95543c8237cd65ec85ddbcc0eff5169fd.pdf
http://lifetime-reliability.com/consulting/maintenance-management/Sample_Maintenance_Audit_Report.pdf
https://www.oreilly.com/library/view/accounting-information-systems/9781118162309/c09-38.html
https://businesstown.com/business-security-risks-how-to-prevent-them/
https://www.slideshare.net/dadkhah077/security-attacks-in-standalone-computer-and-cloud-computing-an-analysis
http://www.ncb.mu/English/Documents/Downloads/Reports%20and%20Guidelines/Security%20Guideline%20for%20Standalone%20and%20Network%20Computers.pdf