LAN (Local Area Network) AUDIT PROGRAM


Basic Audit Objectives

A. LAN Standards

Management must provide standards for the effective and efficient
operation of the end user environment.

B. LAN Data Security

To ensure that proper controls are in effect for the security of
organization data files and program libraries.

C. System Administration and Operations

To verify that procedures and controls exist to ensure that the system
functions effectively and efficiently in all phases of operations and
maintenance in order to provide maximum system availability and performance.

D. Systems and Programming Controls

To verify that management is exercising proper control over the
installation, maintenance, and use of vendor and user developed software
resident on the LAN.

E. Physical Security and Environment

To ensure procedures and equipment are in use to provide adequate physical
security for the computer equipment, including theft, vandalism, fire
detection and prevention, support the requirements of the operation of the
system hardware.

F. Contingency Planning

To ensure that an adequate plan exists for the timely and logical recovery
of processing operations following some sort or interruption.

G.  Communications Security for the LAN

To ensure that management has instituted policies and procedures that will
protect sensitive data from being changed, intercepted, or unprotected on
the LAN.

H.  Training and User Education

To ensure that operators, staff and users of the system are adequately
trained in the effective and efficient use of system resources.

	Preplanning and Preliminary Field Work

The preplanning process and the preliminary field work should be conducted
in order to provide basic information that will assist in refining the
scope and the detail of the Audit Objectives. During preliminary field
work, the risk assessment should be reviewed to determine the level of
detail required to adequately identify and document control weaknesses.

1. Obtain current copies of previous financial audits or EDP audits for
the subject department or division.

2. Obtain list of currently employed personnel from the personnel department.

3. Meet with management to discuss and review the requests for information
that should include the following:

	a. Organizational chart for the business unit.

	b. Job descriptions for all personnel who manage, administrate,
service, support or operate the system software/hardware. Include all
development-related staff, programmers, analysts, technicians, trainers as
well as security administrators.

	c. Departmental information systems policies and procedures
including operations manual and user guides.

	d.  A descriptive inventory listing for all hardware and software
in use. For all system software and utilities include current version
number and patch history if applicable.

	e. A copy of a hardware configuration diagram including ALL
connections to the LAN topology, servers, communications gear,
workstation, bridges, repeaters, protocol converters etc.

	f.  A telecomununications network diagram and supporting schedule
listing type of circuit, circuit ID, line ID, logical definition, and
location corresponding termination- If terminus is not to company owned
and operated equipment, provide specific details of connection and and a
copy of any agreement or contract governing the operation, use or
maintenance of identified circuit. Provide brief description of business
reasons for all connections to the LAN.

	g. Provide copy of any "service level agreements" with corporate
telecommunications or systems departments.

	h.	Provide copy of current contingency plan.

	i.	Provide information about all licensing agreements,
service and maintenance contracts for both hardware and software.
	j. Provide copy of facility floor plan and electrical
telecommunications wiring plan (s built, if available) 

	k. Provide information on all recognized "applications" and
"programs" residing on the LAN (server or workstation.) Briefly describe
business function, products involved, developer/manufacturer, proponents
name/ftction, number of users accessing application, and known value of
data and programs. Note any special hardware or connectivity associated
with each application.


1. Make appropriate arrangements for ID on LAN with supervisor equivalence
or server administrator access privileges. Obtain permission to use 
workstation with a locally attached printer in an area with adequate
workspace, lighting etc. Inform management of other access requirements
that will be required during the preliminary and actual audit field work.

Detailed Audit Objectives

A. LAN Standards -

Management must provide standards for the effective and efficient
operation of the end-user environment.

1.	Who is responsible for the daily operation of the LAN?

2.	Are there written procedures and assigned responsibilities that include:

a.	initial start-up instructions?
b.	monitoring the performance and usage 0 the LAN
c.	hardware malfunctions?

3.	Verify that the department has a policies, procedures, and
standards manual. Determine that it is current and effectively
communicated to appropriate personnel sad that the following areas have
been documented:

a. Department and corporate policies and procedures.
b.	A brief description of each application being run on the LAN.
c.	Computer operator procedures (such as start-up and shutdown)
d.	Tape and disk management.
e.	Backup procedures and policies.
f.	Emergency procedures.
g.	Stock paper and negotiable instrument control  procedures.
h.	Contingency planning.


4.	Has management developed procedures and standards defining what
levels a information should b auf as sensitive, in order to afl the
difference between sensitive/critical and shared data?
B.	LAN Data Security -

	To ensure that proper controls are in effect for the security of
corporate data   and program libraries.

1.	Does  segregation of duties exist between the function of LAN
administration and LAN security administrator, or are they the same person?

2.	Determine that all users on the LAN must enter a login ID nd
password to access the LAN and that appropriate password/login controls
are in force.

a.	Are the passwords displayed as hidden when entered?
b.	Are the passwords encrypted at the workstation before being sent
to the server for verification?
c.	Does the system force the user to change passwords on a regular
basis; are IDs disabled if passwords are not changed
d.	Does the system prevent passwords from being reused; are users
prevented from changing back to previously used passwords?
e.	Are new users forced to enter a new password on initial login
(pre-expired at first login)?
f.	Are minimum password lengths enforced by the system?
g.	Are passwords stored as clear text anywhere on the LAN, including
the workstations?
h.	Are user IDs logged off the network after a period of inactivity?
i.	Are "group" or shared ID/passwords permitted on the LAN?
j.	Do employees sign a corporate systems policy statement
acknowledging responsibility for confidentiality of information and
secrecy for passwords?

k.	Are users educated about guidelines to establishing secure passwords?
1.	Are vendor, contractors or temporary employee IDs set to
pre-expire at the term of their contractors?

m.	restricted to appropriate loin days and times?
n.	Are vendors, contractors or temporary employees restricted to
specific workstations?
0.	Are vendors, contractors or temporary employees required to sign
appropriate non-disclosure statements with respect to corporate
information they may have access to?
p.	Are IDs disabled after several failed login attempts?
q.	Are users notified of number of invalid login attempts each time
they Iogin?

3.	Are there password/login audit trails that show activity such as:

a.	Login/outs (location, date/time, userid)

b.	Type of access (dial, internetwork, WAN, workstation, etc)

c.	Invalid access attempts (location, date/time, ID)

d.	System expired IDs.

e.	Logouts due to inactivity?
f.	Are audit trails maintained for  reasonable period of time?

5.	Are exception reports produced from audit trails and reviewed by
management on a timely basis.

6.	Does the LAN software prevent access by unauthorized users to LAN
services (gateways, f, dial-out, WAN etc)?

7.	Does the LAN software prevent access by unauthorized users to
sensitive system functions such as Security Administration, monitoring,
"server console" operations, enabling/disabling services, etc.)?


8.	Are users granted access ONLY to disks. volumes, directories and
files for which they are specifically authorized?

9.	Are users able to "load and run" ONLY those executables for which
they are specifically authorized?

10.	Identify all software security controls that are not integral to
the LAN O/S; evaluate effectiveness and verify that only authorized
persons can configure or defeat provided control features.

C.	System Administration  Operations -

To verify that procedures and controls exist to ensure that the system
functions effectively and efficiently in all phases of operations and
maintenance in order to provide maximum system availability and performance.

1.	Are system administration and operations procedures documented and current?

a.	Are the roles nd responsibilities assigned to each position and
function clearly defined?
b.	Determine the extent of segregation of duties in key functions.
Are they appropriate to the business risks associated with the functions
and applications that reside on the system.

2.	Do adequate procedures exist for problem management and resolution?

a.	How are problems tracked and status reported?
b.	Do appropriate escalation procedures exist to ensure appropriate
response to system problems?

c.	Are vendor responsibilities documented in the problem management
procedures?

3.	Review problem resolution log and determine if:

a.	Problems are reoccuring on a frequent basis.
b.	Resolution time frames meet  								objectives.
c.	Any problems represent a breakdown in system 							controls.

4.	Check for the existence a system maintenance logs for network
equipment and servers.

a.	Do los reflect an adequate program of periodic preventative
maintenance is in place?

b.	Does the log reflect entries for performance capacity monitoring?
If not, check to see if the system itself maintain a log.

5.	Identify all system generated logs. Determine if they are being
used to track performance, capacity and transmission quality.

a.	Verify that procedures exist to periodically review the logs.
b.	Verify that procedures exist to respond to system identified
problems or efficiency degradation.

6.	Determine if procedures exist for operations staff to manage
change control.

7.	Determine if procedures exist to inform (and train if necessary)
users when system changes occur.

	D.	Systems and Programming Controls -

To verify that management is exercising proper control over the
installation, maintenance, and use of vendor- and user-developed software
resident on the LAN.

1.	What software applications mae running on the LAN?

2.	For vendor-supplied packages determine that the following items
can be provided by the LAN Administrator:

a.	License Agreement.
	" Usage Costs
	" Number of authorized copies allowed.
b.	Maintenance agreement.
	" Vendor Technical support
	"		Allowed modifications that can be made by company personnel.
c.	User Documentation.
	"	User operating instructions.
	"	Technical documentation.

d.	Software acquisition and use policies.

3.	Verify the following (change control):

a.	The LAN program change process conforms to corporate program
change-control procedures and standards.

b.	The program change control for the LAN is 						
e LAN equate.
c.	The techniques used to monitor program change control are adequate.



d.	Do general , systems change control procedures take into account
the impact to the business including system availability, user impact,
system efficiency &nd currency of documentation/manuals.
h,	Determine if adequate procedures exist to inform, train and assist
operations staff in the implementation and support of changes in the
system environment.

4.	For the LAN operating system and utilities,determine that the
following can be provided:

a.	Maintenance information

b.	Technical support group which supports the product.Provisions for
receiving operating system fixes, enhancements and upgrades.
Availability of manufacturer's direct support or alternative vendor support.
Contract or agreement governing maintenance procedures and service
response availability.

b.	User Documentation

'	Current technical nd reference documentation available for
operation, administration and use of the LAN system software and utilities.

5.	Determine if adequate test procedures exist for all changes to the
system environment.

a.	Do procedures exist to test and implement operating system
upgrades, patches, fixes and enhancements?
b.	Do procedures exist to test and implement application upgrades,
fixes, and enhancements?
c.	Do procedures exist to test and implement the introduction of new
productivity tools and programs? '
d.	Do procedures exist to test and implement changes in the physical
environment?
e.	Does a adequately configured test system exist with appropriate
isolation to the "production" environment?

f. If a separate, isolated test system does not exist, does a logical test
system exist? Do appropriate and adequate controls exist to prevent
significant impact to system efficiency or availability?
g.	Are there specific procedures in place to guard against the
introduction of "virus" or otherwise tainted executable programs in the
test and production environments?


E.	Physical Security and Environment -

To ensure procedures and equipment are in use

to provide adequate physical security for the computer equipment,
including theft, vandalism, fire detection and prevention.

To ensure tat environmental conditions are adequate to support the
requirements of the operation of the system hardware.

1	Verify the physical security provided for servers and configurable
communications/networking equipment is adequate.

a.	Verify that all servers are secured in an area inaccessible to all
but authorized systems personnel.

 	How is access authorized?

	How is access controlled and monitored?

b.	Very that all equipment provided with physical locking devices are
properly secured.
	Are keys properly secured, but accessible for authorized personnel?
	Are duplicates properly stored and secured?
c.	Verify that unrelated equipment and supplies are not stored in the
secured area.

2.	Verify the physical security provided for LAN distribution
equipment is adequate.

a.	Very that all major, primary distribution equipment is in
controlled access areas.

b.	For secondary distribution equipment (small clusters,) determine
that equipment is properly protected from accidental disconnection or
disturbance.

c.	For high risk application nsa verify that II distribution
equipment is:
* Protected from unauthorized physical access.
"	Protected from unauthorized monitoring by use of appropriate
sheathing, conduit or properly installed media.

	Procedures exist to detect and defeat unauthorized physical access
to distribution system.

d.	Verify that all workstation distribution cabling and connections
are installed properly and secured to prevent accidental disconnection or
disturbance.

3.	Determine if physical workstation security is appropriate and adequate.

s.	How is unauthorized removal of workstation equipment prevented?
b.	How is physics! access controlled and monitored for workstations
identified as sensitive or high risk?

4.	How is physical access by vendors to LAN equipment controlled and
monitored including all equipment referenced in items 1-3 above?

5.	Do environmental conditions meet equipment specifications including:

a.	Electrical supply, including UPS and emergency power and
conditioning equipment.
b.	HVAC systems and controls.
c.	Static control.

6.	Determine that fire protection equipment is adequate and
appropriate for the system.
s.	Is protection for onsite stored system media adequate?


7.	Determine if onsite storage of all system media is adequate to
prevent unauthorized access.

s.	Server software and backup media.
b.	Workstation media.

S.	Determine if access to printers and printed output is properly
controlled and monitored.

a.	Determine all defined locations of printed output for networked
defined printers.
b.	What physical safeguards exist for sensitive printed output?
c.	What procedures exist for managing the physical distribution of
printed output?


F. Contingency Planning -

To ensure that an adequate plan exists for the timely and logical recovery
of processing operations following some sort of interruption.

1.	Determine if a written contingency plan has been developed for the
possible loss of the LAN, and does it include:

a.	securing data files
b.	procedures for varying levels of emergency or processing
interruptions (i.e. , short-term manual
							mode.)?
c.	system application recovery procedures?
d.	Is list of documentation and files to be maintained off-site?

2.	Perform an inventory of all items stored at the off-site location.

3.	Has the plan been tested in simulation on a frequent basis?

	What policies or procedures exist to ensure the currency of the
plan relative to system and/or application changes?



G. Communications Security for the LAN

To ensure that management has instituted policies and procedures that will
protect sensitive data from being changed, intercepted, or unprotected on
the LAN.

1. Determine that internal controls are adequate to prevent:

m,	incomplete transmission
b.	misrouting
c.	unauthorized message alteration

d. unauthorized disclosure

e. message duplication

2.	Determine that communication security is built into the
communications links on the LAN. Such security includes:

a.	software packages

b.	encryption devices

c.	hardware features for the LAN and other processing
devices.

3.	Determine how the microcomputers are connected to each other and
other processing entities ;
a. Modems

Direct Dial-up
Dial-back

b.	Hardwire (direct connect)
c.	Leased lines.

4.	Review the access and implementation controls over the following
communications hardware!software processing functions:

a.	Network change control
b.	Dial-up Access
c.	Network activity logging.
d.	Data encryption

5.	Determine that controls are in place to ensure that data integrity
is maintained during data transfer from the LAN to other processing entities:

a.	at is the message authentication procedure?
b.	How is the accuracy and completeness of transmission assured?

c.	For data up/down loading, how are batches identified, screened,
and approved on the LAN?


H.	Training nd User Education

To ensure that operators, staff and users of the system are adequately
trained in the effective nd efficient use of system resources.

1.	Are policies sad procedures in place to ensure adequate technical
training of the users, operators and staff

2.	Does adequate documentation exist for use in training sad as
reference material all system and application functions?

3.	Are security and control concerns part of the education and
training programs for the users, staff nd operators of the system?

4.	How mae corporate information systems policies communicated to
company personnel relative to training programs sad materials?

5.	How are changes to the system accounted for in training and
education programs, including documentation and work aids?