Educause Security Discussion mailing list archives
Re: checklists/auditing within the IT department
From: John Ladwig <John.Ladwig () CSU MNSCU EDU>
Date: Thu, 11 Dec 2008 14:36:23 -0600
We've had pretty good results from a PCI-DSS-based SAQ and interview process as the framework for a recent system-wide Security Assessment Program. We picked and chose from the SAQ, expanded it with some more questions from other good assessment frameworks, and expanded the scope to be all PII and grade-related data, not just PCI data. One thing we didn't expect was that we'd get a lot of "Didn't we just do this?" questions when we launched the actual PCI assessments the following year. Not sure if that's avoidable somehow, but it has taken a bit of explaining and.. um.. relationship management with our campus business and IT contacts, most of whom participated in the earlier process as well as the current PCI assessments. -jml
Doug Markiewicz <dmarkiew+educause () andrew cmu edu> 2008-12-11 08:23 >>>
In addition to ISO 27000 series and COBIT, the financial sector has all sorts of auditing resources that can really be applied in any environment with a little tweaking. I've listed a few below: PCI Data Security Standards https://www.pcisecuritystandards.org/security_standards/pci_dss_download.html PCI Self Assessment Questionnaire https://www.pcisecuritystandards.org/saq/ BITS Share Assessment Agreed Upon Procedures http://www.sharedassessments.org/download/files.html BITS Shared Assessment Standardized Information Gathering Questionnaire http://www.sharedassessments.org/download/files.html FFIEC IT Examination Handbook http://www.ffiec.gov/ffiecinfobase/index.html
-----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Youngquist, Jason R. Sent: Wednesday, December 10, 2008 3:41 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] checklists/auditing within the IT department I'm looking for any recommendations on books or documents for auditing/best practices within one's IT department. Our department is broken up into 5 sections: Data Services - support the student information system - by programming and system support Web Services - program web applications & work on databases Network Services - physical security, networking gear (routers, firewalls, switches, etc.) servers (Windows, Linux, and a number of different applications), and VOIP services End User Support - purchase, deploy, and fix desktop computer-related issues Helpdesk/Computer Lab - provide support to customers and student computer lab(s). I'm looking for a number of questions/checklists/best practices to ask individuals in each section of the department. The goal is to come up with a list of questions/checklists so each week I'll talk to an individual from each section of the department and ask them a few questions (from a long list of questions from their particular area) in order make sure things are working properly, security is being followed, and determine if there are any issues that need to be addressed. Here are some example questions: Generator XYZ - does a self-check happen? If so, when? Has the self-check been successful? Servers - Which servers are being backed up? Are there new servers which haven't been added to the tape backup schedule yet? Servers - When was the last time a file restore was done? Was it successful? Inventory - When was the last time a computer inventory was done? Where is it located? VOIP - What steps are being taken to reduce/eliminate toll fraud, eavesdropping, caller-id spoofing, denial of service, etc. Web - Is there an inventory of web applications? If so, where is it located? Web - Is there a document of coding best practices? If so, where is it located? I've been doing some googling and brainstorming, but appreciate any additional information. Thanks. Jason Youngquist Information Technology Security Engineer Technology Services Columbia College 1001 Rogers Street, Columbia, MO 65216 (573) 875-7334 jryoungquist () ccis edu http://www.ccis.edu
Current thread:
- checklists/auditing within the IT department Youngquist, Jason R. (Dec 10)
- <Possible follow-ups>
- Re: checklists/auditing within the IT department Basgen, Brian (Dec 10)
- Re: checklists/auditing within the IT department Aaron Kirby (Dec 10)
- Re: checklists/auditing within the IT department Doug Markiewicz (Dec 11)
- Re: checklists/auditing within the IT department Scott O. Bradner (Dec 11)
- Re: checklists/auditing within the IT department John Ladwig (Dec 11)
- Re: checklists/auditing within the IT department Brad Judy (Dec 11)
- Re: checklists/auditing within the IT department Kathy Bergsma (Dec 12)
- Re: checklists/auditing within the IT department Harris, Michael C. (Dec 12)