Computer Risk Management Audit Program

Initial Prepared By: Date

Client Period Subject S. No. A Local Area Network Review Audit Program PRELIMINARY SURVEY Objective: To gain an understanding of the LAN configuration, the number of users on the LAN, and the general use of the LAN. Audit Procedures: 1 2 3 4 Obtain a current list of computers and peripheral devices connected to the LAN from the LAN administrator. Obtain a current, complete list of LAN users from the LAN administer. Inquire about the nature of the applications the LAN supports (through interview with the LAN administrator). Identify specific critical applications, which are processed on the LAN, and determine the software platform used to support critical applications (e.g., spreadsheets, databases, custom applications, etc.). Inquire about the ability of LAN users to communicate with other computer systems or LANs via the LAN, and document such communications capabilities. ACQUISITION OF COMPUTERS AND LAN EQUIPMENT Objective: To evaluate the acquisitions of computers and LAN hardware and software for compliance with established procurement policies and procedures. Audit Procedures: 1 Determine who is responsible for approving and purchasing computers and LAN hardware and software, and determine through inquiries whether purchases are made according to the corporate policies. Evaluate the procurement policies to ensure that they provide for purchasing hardware and software that will meet the users needs, that appropriate cost controls are in place, and that standards to ensure the compatibility of hardware and software used throughout the organization. Review the documentation of approval and purchase for a sample of hardware and software purchases, and verify that the selected transactions were appropriately handled in compliance with the procurement policies and standards. Notes: Most organizations have policies and procedures, which control the
Reviewed By:

W.P. Ref.

Done By

Page 1 of 6

Sidat Hyder Morshed Associates (Pvt.) Limited Management Consultants Representing Andersen Worldwide, SC in Pakistan

Computer Risk Management Audit Program acquisition of computers and LAN equipment. If no policies exist governing such acquisitions, a finding may be appropriate. C SOFTWARE LICENSE COMPLIANCE Objective: To determine whether employees are complying with the provisions of software licenses. Audit Procedures: 1 Determine through inquiry and review of documentation what the organizations policy is regarding software license compliance. If no such policy exist, consider the need for an audit finding. Assess, through inquiry and discussion with the LAN administrator, the degree of compliance expected to be found in the LAN, and determine what procedures are performed to ensure compliance with software licenses. Identify any multiple software copy or site licenses, which may exist in the LAN environment. On either a sample basis or a 100% basis, inventory the software, which is installed on the computers attached to the LAN. Using software such as SPAudit by Software Publishers Association can facilitate this process. Review supporting documents for the purchase of software packages inventories in step 4 above, and for any installed packages which cannot be supported by purchase documentation, determine if the copies were obtained improperly. Ensure that the users remove any software found to be installed which are not in compliance with software license agreements. Risks: Organizations face potentially significant exposures if employees do not comply with the provisions of software licenses. Generally, unless multiple use licenses or other site license arrangements are made with software publishers, a software package may only be used on one computer. The LAN environment has a tendency to amplify the problem of non-compliance, because it becomes very easy to copy software or allow multiple concurrent uses of a program D VIRUS SCANNING AND PROTECTION Objective: To evaluate controls established to prevent or detect the presence of viruses on the LAN, and determine whether such controls are effective. Audit Procedures: 1 Determine what procedures are in place to prevent or detect the presence of a virus on the LAN, and verify who is responsible for performing these procedures.

3 4

Page 2 of 6

Sidat Hyder Morshed Associates (Pvt.) Limited Management Consultants Representing Andersen Worldwide, SC in Pakistan

Computer Risk Management Audit Program 2 Through inquiry, observation, or examination of related documentation, verify that the procedures for preventing or detecting LAN viruses are being followed. If software is used to detect viruses, determine if the LAN administrator is responsible for checking the file servers periodically. If not, determine who is responsible. Determine whether the organization has procedures for users to follow if a virus is detected or suspected on a computer, and verify through inquiry and observation that users are familiar with the procedures. Risks: Due to the increased sharing of files, which occurs on a LAN, the risk of viruses occurring is greater on a LAN. The impact of a virus can be much greater on a LAN as well, because the virus can be spread to many users or connected computers very quickly. E CONTINGENCY PLANNING AND BACKUP PROCEDURES Objective: To determine whether responsibilities for backing up and storing files stored on the LAN file servers are defined, and whether contingency plans exist for critical applications that are processed on the LAN. Audit Procedures: 1 2 Determine who is responsible for backing up data files and programs stored on the LAN. Determine how backups are stored to ensure they are protected from unauthorized access. If critical applications are processed on the LAN, determine if backup requirements include multiple generations of backups and/or storage of backup materials at a secure offsite location. For a LAN that processes critical information, determine if additional contingency planning is or should be performed. In some cases, formal contingency plans may be appropriate. Evaluate the adequacy of the plan if one exists. Determine whether established contingency plans are tested at least annually, and updated periodically to reflect changes and improve effectiveness. Determine the procedures in place to ensure that critical data stored on individual LAN workstations is backed up appropriately. Through inquiry and observation, verify that such procedures are being complied with or functioning as intended. Notes: Because multiple users store information on the LAN file servers, responsibilities for backing up and storing files should be defined. If critical applications are processed on the LAN, additional contingency planning should be considered. All backup copies of LAN data should be protected from unauthorized access.

Page 3 of 6

Sidat Hyder Morshed Associates (Pvt.) Limited Management Consultants Representing Andersen Worldwide, SC in Pakistan

Computer Risk Management Audit Program

LAN ACCESS SECURITY Objective: To determine that access to the LAN is restricted to authorized users, and that responsibility for administering LAN access security is clearly defined. Audit Procedures:

Obtain and review the corporate policies for allowing access to the LAN to gain an understanding of the procedures used to a) b) administer access, and update access allowed for terminated and transferred employees

2 3

Determine whether unique passwords are required for all LAN users. Determine whether users are required to change their passwords periodically, and how frequently they are required to change their passwords. Determine whether LAN workstations automatically sign off if unused for a specified period of inactivity, and evaluate the reasonableness of time period allowed for inactivity. Determine whether users are locked out of the LAN if an invalid password is supplied after several attempts, and ascertain how many times an invalid password can be supplied prior to lockout. Determine whether an Intruder Detection mechanism is active. If so, determine a) the standard lockout period, and b) whether any users have different lockout periods defined which could circumvent the Intruder Detection system. Identify significant LAN security exposures. Novell NetWare provides a command, which identifies significant security exposures. Request the LAN administrator to execute the SECURITY command while signed on to the LAN as the administrator so that a report, which lists any exposures defined by Novell will be generated. Refer to the Novell System Administrators guide for an explanation of the items identified, obtain explanation for all exceptions identified on the report from the LAN administrator, and examine supporting documentation for the exceptions. Obtain the user list from the LAN administrator if not done above. Novell also provides the ability to list all users on the LAN using the SYSCON utility. For a sample of users, obtain a copy of the user profile and determine that the parameters are appropriately established for that user according to the policies identified in step 1 above. Examine supporting documentation for all deviations or exceptions from the policies. Determine the reasonableness of all users who have the security equivalence of Administrator, and review supporting documentation for all such users.

Page 4 of 6

Sidat Hyder Morshed Associates (Pvt.) Limited Management Consultants Representing Andersen Worldwide, SC in Pakistan

Computer Risk Management Audit Program 10 Determine through inquiry and observation if the LAN administrator uses the SECURITY command and audit logs to monitor security violations and exceptions. Notes: Use of the LAN should be restricted to authorized users. The LAN administrator is typically responsible for administering security. The audit steps indicated above are designed to accumulate evidence that access to the LAN is restricted to authorized users and that controls are maintained over time through effective use of passwords and security administration. G LAN RESOURCES SECURITY Objective: To determine whether LAN resources (e.g., data files, programs and devices) are sufficiently restricted to authorized users. Audit Procedres 1 Determine through inquiry and review of relevant documentation what the policies and procedures are to restrict access to files to authorized users. Determine whether the files used for critical applications on the LAN have specific access requirements, and whether such requirements are adequate. For the directories containing critical application files and programs, and for other directories selected on a test basis, evaluate the Trustee Rights using SYSCON and the Directory Rights using the FILER utility programs. Review supporting documentation for all access to critical applications and all unusual access to any resource. [In a Novell LAN, the utility programs SYSCON and FILER will allow the auditor to identify all users who have access to a specific directory and what their specific access rights are.] Determine whether audit logs are created for any specific files or resources, and who reviews the logs. Determine through observation whether the reviews are performed on a timely basis and that appropriate follow-up action is taken. Determine whether the appropriate access rights are assigned to the directories, which contain Novell operating system resources as identified and recommended in the System Administration manual. Obtain explanations and review supporting documentation for exceptions to the recommended access rights. [The SECURITY command will identify all users who have access rights to these directories greater than what is recommended.] Notes: Access to certain LAN resources may need to be restricted. If critical applications are processed on the LAN, the programs and data files, which support that application should be restricted to authorized users. Most LAN operating systems provide a mechanism to restrict access to files.

Page 5 of 6

Sidat Hyder Morshed Associates (Pvt.) Limited Management Consultants Representing Andersen Worldwide, SC in Pakistan

Computer Risk Management Audit Program

LAN COMMUNICATIONS SECURITY Objective: To determine whether unnecessary exposures exist due to the communications capabilities on the LAN. Audit Procedures:

Gain an understanding of the organizations policies and procedures regarding communications capabilities. Verify that all dial-in capability requires appropriate controls. Typically, an additional user ID and password is required, and dial-back controls may be employed. Other secure authentication mechanisms may be used to beef up the dial-in security. Determine whether the organization allows a user to install a modem on a workstation, and what controls are in place to prevent dial-in access to the LAN through individual workstations. If products like PC Anywhere are used, and the workstation or user has access to a host computer, exposure exists for unauthorized access to the host through the LAN. Verify that all dial-in access points on the LAN provide additional security such as a dial-in password or dial-back capability. Evaluate whether these countermeasures adequately protect the LAN from unauthorized access. Risks: Communications capabilities may provide opportunities for unauthorized access to the LAN or to other computing resources, such as a mainframe or other host computer, if not properly controlled.

Page 6 of 6

Sidat Hyder Morshed Associates (Pvt.) Limited Management Consultants Representing Andersen Worldwide, SC in Pakistan