IS Audit Checklist- by Software development company in india

iFour Consultancy

Information Security Audit Checklist

Basic stages and workflow of IS Audit

Software Consultancy India http://www.ifourtechnolab.com

http://www.ifourtechnolab.com/

Table of Contents

ISO for Software Outsourcing Companies in India

Sr. No. Particulars

1 List of documents for understanding the Information System of the auditee.

2 Criticality Assessment Tool

3 Collection of specific information on Information System

4 Risk assessment

5 General controls

6 Input controls

7 Processing controls

8 Output controls

9 IT security


http://www.ifour-consultancy.com/


Documents for understanding Information System

ISO for Software Outsourcing Companies in India

Sr. No. List of documents1 Brief background of the organization

2 Information security objectives

3 Scope document of Information System

4 Organizational chart with details of reporting responsibilities

5 Information security policy

6 Risk assessment process

7 Statement of Applicability

8 Risk treatment plan and process

9 Risk assessment and Risk treatment results

10 Evidence of monitoring and measurement results

11 Evidence of implementation of audit program

12 Evidence of results of management reviews

13 Previous audit and internal audit reports

14 Evidence of results of any corrective action





Questions Asked: Does the system relate to any of the following operations:

Business Critical Operations Support functions

What is the amount of investment made in the system? Number of PCs/Desktops used in the system? Is the system on the network? How much dependent is the organization on the system? Does the system link to third parties? Does the system have dedicated IT staff? How many end-users of system? For how long has the system been operation for? Does the system have a documented and approved DRP? What is the volume of data used by the system?

Criticality Assessment Tool

ISO for Software Outsourcing Companies in India Software Consultancy India http://www.ifourtechnolab.com



Collection of specific information on IS

Information to be collected includes:Name of the system and broad functional areas covered by the system.Department head of the organizationLocation of the system installationCategory of the system architectureAffects financial or accounting aspects of the organizationSoftwares used by the systemIs the system mission critical?Is the system in-house or has it been outsourced? (if so, then collect information of that

company)






Collection of specific information on IS (continued)Total persons involved in the systemDoes the system documentation provide audit trail of all transactions?Are system manuals available?Details of hardware items employed by the systemWhat is the projected cost of the system?When was the system made operational?Total investment made in the system based on categories of items use






The risk assessment is classified into 4 categories:Management & Organization

HR Policy

Security

Physical & Logical access

Risk assessment

ISO for Software Outsourcing Companies in IndiaSoftware Consultancy India http://www.ifourtechnolab.com



Questions asked: Is there a strategic IT plan prepared by the organization based on business needs?

Does the IS department have clear cut and well defined goals?

Does management provide appropriate direction on security objectives of the system?

If the system uses 3rd party data, does the organization have procedures in place to address associated risks?

Are there procedures to update strategic IT plan?

Risk assessment – Management & Organization






Risk Assessment – HR policy

Questions asked: Is there a criteria for recruiting and selecting personnel?

Is training need analysis done at a particular interval?

Is organization’s security clearance process adequate?

Are responsibilities and duties clearly defined?

Is backup staff available in case of absenteeism?



Questions asked: Is there a data classification schema in place?

Is there a user security profile system in place to determine access on a ‘need to know’ basis?

Is there a password policy?

Are preventive and detective control measures been established by management?

Is there a centralized security organization responsible for ensuring only appropriate access to system resources?

Risk assessment – Security






Questions asked:Whether facility access is limited to least number of people?

Is there a periodic and ongoing review of access profiles, including managerial review?

Whether physical security is addressed in the continuity plan?

Whether health, safety and environmental regulations are being complied with?

Is there a system of reviewing fire, weather, electrical warning and alarm procedures and expected response scenarios for various levels of environmental hazards?

Risk assessment – Physical & Logical Access






To check whether proper controls have been implemented or not. These controls need to be viewed in relation to the impact on the efficiency,

security or effectiveness of the system. Questions asked:

Are there procedures for monitoring the implementation of strategic plan?Are current IT activities consistent with the plan?Is documentation complete and in current state?Does security procedures cover designation and duties of security officer?Are security breaches immediately reported for appropriate action?Are objectives, scope and requirements of acquisition clearly defined and documented?

General Controls




Questions asked:Are the methods of data entry and conversion well documented?Are all the documents accounted for and if so what is the method used?Is there a system of documents being signed or marked to prevent reuse of data?Is there a system of escalation of reports to higher levels if the conditions deteriorate?Does the system provide for error messages for every type of error not meeting the

validation?

Input Controls




Questions asked:Do documented procedures exist explaining the methods for proper processing of each

application program?Is the history log displayed by the console?Does the computer program logic have in-built standardized default options?Are version control procedures in place, ensuring the processing on the proper version

of file?Are the error messages clear and short, communicating the nature of error for

appropriate guidance to the user?

Processing Controls




Questions asked:Is the user department responsible for correctness of all output?Examine whether document methods are in place for proper handling and distribution

of output?Examine the system of forward linkage to trace transaction from origin to its final output

stageWhether output audit trail logs are maintained and periodically reviewed by supervisors

to ensure accuracy of output generated

Output Controls




Sections considered:Security PolicyOrganizational securityAsset classification and controlPersonnel securityPhysical & Environmental securityCommunications & Operations managementAccess ControlSystem development and maintenanceBusiness continuity managementCompliance

IT security




http://www.icisa.cag.gov.in/Background%20Material-IT%20Environment/IT-Audit-Manual/Vol-3.pdf

References



Education

IS Audit Checklist- by Software development company in india