Re: checklists/auditing within the IT department

[Doug Markiewicz <dmarkiew+educause () ANDREW CMU EDU>]

In addition to ISO 27000 series and COBIT, the financial sector has all sorts of auditing resources that can really be 
applied in
any environment with a little tweaking.  I've listed a few below:

PCI Data Security Standards
https://www.pcisecuritystandards.org/security_standards/pci_dss_download.html

PCI Self Assessment Questionnaire
https://www.pcisecuritystandards.org/saq/

BITS Share Assessment Agreed Upon Procedures
http://www.sharedassessments.org/download/files.html

BITS Shared Assessment Standardized Information Gathering Questionnaire
http://www.sharedassessments.org/download/files.html

FFIEC IT Examination Handbook
http://www.ffiec.gov/ffiecinfobase/index.html



> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On
> Behalf Of Youngquist, Jason R.
> Sent: Wednesday, December 10, 2008 3:41 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] checklists/auditing within the IT department
>
> I'm looking for any recommendations on books or documents for
> auditing/best practices within one's IT department.
>
> Our department is broken up into 5 sections:
> Data Services - support the student information system - by programming
> and system support
> Web Services - program web applications & work on databases
> Network Services - physical security, networking gear (routers,
> firewalls, switches, etc.) servers (Windows, Linux, and a number of
> different applications), and VOIP services
> End User Support - purchase, deploy, and fix desktop computer-related
> issues
> Helpdesk/Computer Lab - provide support to customers and student
> computer lab(s).
>
> I'm looking for a number of questions/checklists/best practices to ask
> individuals in each section of the department.  The goal is to come up
> with a list of questions/checklists so each week I'll talk to an
> individual from each section of the department and ask them a few
> questions (from a long list of questions from their particular area) in
> order make sure things are working properly, security is being followed,
> and determine if there are any issues that need to be addressed.
>
> Here are some example questions:
> Generator XYZ - does a self-check happen?  If so, when?  Has the
> self-check been successful?
> Servers - Which servers are being backed up?  Are there new servers
> which haven't been added to the tape backup schedule yet?
> Servers - When was the last time a file restore was done?  Was it
> successful?
> Inventory - When was the last time a computer inventory was done?  Where
> is it located?
> VOIP - What steps are being taken to reduce/eliminate toll fraud,
> eavesdropping, caller-id spoofing, denial of service, etc.
> Web - Is there an inventory of web applications?  If so, where is it
> located?
> Web - Is there a document of coding best practices?  If so, where is it
> located?
>
>
> I've been doing some googling and brainstorming, but appreciate any
> additional information.
>
>
> Thanks.
> Jason Youngquist
> Information Technology Security Engineer
> Technology Services
> Columbia College
> 1001 Rogers Street, Columbia, MO  65216
> (573) 875-7334
> jryoungquist () ccis edu
> http://www.ccis.edu