LAN AUDIT PROGRAM SUBMITTED BY: Joseph I. Lee, IS Auditor Ohio State University Lee.98@osu.edu I agree with you. Here is my LAN audit program I used in my recent LAN audit (it is based on the "Control Objectives" and the other ICQs). ------------------------------------------------------------- INTERNAL CONTROLS QUESTIONNAIRE -- Local Area Network (LAN) I. LAN Management Controls Management should assure that any LAN used by the organization is designed properly and that its use is controlled adequately A. Network Management Policies CONTROL OBJECTIVE: The organization's senior management should establish policies that address the selection, acquisition and installation of LANs. 1. Are there any written policies concerning LAN management controls? 2. If so, obtain the copies of the documents. Do these policies and guidelines have adequate controls addressing the following concerns? a. Procedures to be followed in the selection, acquisition and installation of LANs? b. Standards of network architecture to be supported? c. Guidelines for the cost-benefit analysis of a LAN architecture? d. Documentation of the actual LAN installation? e. Data security and confidentiality? f. Backup and recovery guidelines (Off-site)? g. File naming conventions? h. Hardware and software inventory controls? 3. Are these policies and guidelines distributed to the appropriate levels of management? 4. Has management developed a strategic plan for utilizing LAN technology? 5. Is segregation of duties appropriate within the EDP groups? 6. Is vendor reliability/support considered before purchasing LAN hardware and software? B. Network Support and Management CONTROL OBJECTIVE: Sufficient network management and support should be provided to ensure the uninterrupted reliable operation of a LAN. 1. Are there established procedures for periodic reviews of the capacity of a LAN to provide users with adequate response time and sufficient disk data storage space? 2a. Is adequate technical support for problem resolution available for LAN users? 2b. Is the LAN Administrator experienced in and familiar with operation of the LAN facility? - Is he responsible for troubleshooting LAN problems? - Does he maintain a log of LAN downtime? 2c. Does the LAN Administrator have a backup person? 2d. Is there a documented schedule of operation for cyclical applications? 3.Do the existing LAN maintenance procedures include periodic assessments of the network performance including LAN utilization to prevent problems? 4. Is there scheduled preventive maintenance on the components? 5. Does a training program exist for the LAN Administrator and users of the LAN? C. Network Change Control CONTROL OBJECTIVE: The organization's senior management should establish controls over changes to the configuration of a LAN that will assure its continued satisfactory operation. 1. Is the process used in changing the configuration of a LAN documented? 2. Are any needed backup procedures considered before a change to a LAN is implemented? 3. Is adequate notice given to LAN users before a network change is made? II. LAN Security Management must ensure that adequate controls have been implemented to provide both logical security and physical security. A. Network Logical Security CONTROL OBJECTIVE: The organization's senior management should establish procedures that ensure the addition, change, or deletion of access capabilities within a LAN are based on the information needs of the network's users. 1a. Is a standard form used to document requests for the addition, change or deletion of LAN access capabilities? 1b. If so, does this form include the review and approval process before changes are made? 2. Is adequate security management process established to support changes to LAN user access profiles? - Access control via user accounts, use/change of passwords? - Data and/or passwords encrypted? - Audit trail of log-in and log-out? - Diskless workstations? - Workstation disabled after 3-6 unauthorized logon attempts? - Off-site log-on capability restricted? - Automatic logoff after a short period of inactivity? - Monitoring access/use of LAN resource? - Personnel Practices? 3. Are access privileges granted based on a LAN user's need to know? 4. Is there an automated method for restricting, identifying and reporting authorized/unauthorized users of the LAN? B. Network Physical Security CONTROL OBJECTIVE: Adequate controls should be established to ensure that the security of a LAN is not compromised by the physical threats. 1. Are the transmission media used by a LAN protected adequately ? 2. Is the LAN server secured from unauthorized individuals? 3. Is the LAN server protected from damage resulting from electric power surges/spikes? 4. Is an uninterruptible power supply connected to the LAN's server?